Strolling through Cyberspace and Hunting for Phishing Sites

Published: 2023-04-26
Last Updated: 2023-04-26 04:06:30 UTC
by Yee Ching Tok (Version: 1)
0 comment(s)

From time to time and as much as my limited time permits, I often explore the Internet and my DShield logs to see if I can uncover any interesting artifacts that suggest nefarious behaviour. Time-driven events such as tax filing are also considered when I perform such hunting activities. I recently discovered one such site masquerading as the Inland Revenue Authority of Singapore (IRAS) and observed some interesting points.

Firstly, let's look at the website's overall design and feel. Figure 1 below shows the screen capture of the website.


Figure 1: Screenshot of IRAS Phishing Site

The website would look legitimate for individuals unfamiliar with the official IRAS website but had some significant graphical differences from the official tax portal. Again, this website asks users to input their Singapore Personal Access (Singpass) credentials to access government and private services (such as banking) in Singapore. Most of the external links redirect to legitimate Singapore government websites. It was observed that this particular site elected to use an outdated tax calculation spreadsheet (Year of Assessment 2021 vs current Year of Assessment 2022) that was available on the legitimate IRAS website. Similar to a phishing site I analysed previously [1], the webpage checked for the existence of inputs and would highlight if the input fields were not filled in (with reference to Figure 2).


Figure 2: Input Validation Check

Submitting any input to the website will cause the site to redirect to a separate page index2.php, and have parameters such as "gonna=&realip=" in the URL, with your IP address reflected in the "realip=" parameter. After checking the site's HTML code, it was interesting to note that most of the HTML code was copied from the original site. However, some of the .js files had the additional French word "téléchargement" (after consulting fellow ISC handlers who spoke French, it meant downloading).

Finally, I was curious about who owned the website and its origins. Checking the whois records yielded the following information (Figure 3):


Figure 3: Whois Records of Website

Checking the company records did not yield much information, and the original site did not appear to have anything special. The site may have been created for security awareness purposes, red teaming or used as an actual phishing site. At the point of this diary's publication, the website was still publicly accessible. Nevertheless, the site has been reported to the Singapore Computer Emergency Response Team (SingCERT) for further investigation.

Indicators of Compromise (IOCs):
hxxps://iras[.]nakadaniko[.]com[.]sg

References:
[1] https://isc.sans.edu/diary/28870

-----------
Yee Ching Tok, Ph.D., ISC Handler
Personal Site
Mastodon
Twitter

Keywords: phishing
0 comment(s)
ISC Stormcast For Wednesday, April 26th, 2023 https://isc.sans.edu/podcastdetail.html?id=8470
VMware releases Security Advisory VMSA-2023-0008, multiple security vulnerabilities in VMware Workstation and Fusion with CVSS scores ranging from 7.3 - 9.3, please patch. https://www.vmware.com/security/advisories/VMSA-2023-0008.html

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives