Rewterz Threat Alert – Phishing Campaigns Spoofing Pakistani Banks

Severity

Medium

Analysis Summary

• Multiple emails were reported by multiple bank employees, pretending to be coming from Dubai Islamic Bank. The sender email addresses were random and used multiple fake domains. The subject used was “DIBPAK Account Locked”. The email contains a malicious phishing URL that leads to a fake login page demanding an email address and password.

Upon closer analysis, we found that the phishing page did not demand validations. The URL was different from that of the legitimate site of Dubai Islamic Bank. Different fonts had been used, which are not detectable by unsuspecting victims.

• Some other spoofing emails sent to bank employees were detected, pretending to be coming from HBL. The sender email address is compromised and the domain belongs to a German University “Flensburg University of Applied Science”. The email subject used is “HBL Access Locked” and the URL attached in the email is also a compromised URL, detected as malicious on Virustotal. The URL leads to a phishing page asking for credentials and pin numbers. The email looks like this:

The fake login page asks for the following information:

Impact

• Credential Theft
• Financial loss

Indicators of Compromise

IP(s) / Hostname(s)

192[.]254[.]234[.]118

URLs

• hxxps[:]//webh24[.]it/uconfig/premier/legal/dpk/indx[.]html
• hxxps://chaneyarchitects[.]com/wp-content/upgrade/hbl/hbl[.]html

Email Address

• braas[@]hs-flensburg[.]de

Email Subject

• HBL Access Locked
• DIBPAK Account Locked

Remediation

• Block the threat indicators at their respective controls.
• Do not click on links attached in emails coming from untrusted sources.
• Do not enter information on login pages which you are redirected to, through untrusted links.
• Closely monitor emails with these subjects, if found.