Strolling through Cyberspace and Hunting for Phishing Sites
From time to time and as much as my limited time permits, I often explore the Internet and my DShield logs to see if I can uncover any interesting artifacts that suggest nefarious behaviour. Time-driven events such as tax filing are also considered when I perform such hunting activities. I recently discovered one such site masquerading as the Inland Revenue Authority of Singapore (IRAS) and observed some interesting points.
Firstly, let's look at the website's overall design and feel. Figure 1 below shows the screen capture of the website.
Figure 1: Screenshot of IRAS Phishing Site
The website would look legitimate for individuals unfamiliar with the official IRAS website but had some significant graphical differences from the official tax portal. Again, this website asks users to input their Singapore Personal Access (Singpass) credentials to access government and private services (such as banking) in Singapore. Most of the external links redirect to legitimate Singapore government websites. It was observed that this particular site elected to use an outdated tax calculation spreadsheet (Year of Assessment 2021 vs current Year of Assessment 2022) that was available on the legitimate IRAS website. Similar to a phishing site I analysed previously [1], the webpage checked for the existence of inputs and would highlight if the input fields were not filled in (with reference to Figure 2).
Figure 2: Input Validation Check
Submitting any input to the website will cause the site to redirect to a separate page index2.php, and have parameters such as "gonna=&realip=" in the URL, with your IP address reflected in the "realip=" parameter. After checking the site's HTML code, it was interesting to note that most of the HTML code was copied from the original site. However, some of the .js files had the additional French word "téléchargement" (after consulting fellow ISC handlers who spoke French, it meant downloading).
Finally, I was curious about who owned the website and its origins. Checking the whois records yielded the following information (Figure 3):
Figure 3: Whois Records of Website
Checking the company records did not yield much information, and the original site did not appear to have anything special. The site may have been created for security awareness purposes, red teaming or used as an actual phishing site. At the point of this diary's publication, the website was still publicly accessible. Nevertheless, the site has been reported to the Singapore Computer Emergency Response Team (SingCERT) for further investigation.
Indicators of Compromise (IOCs):
hxxps://iras[.]nakadaniko[.]com[.]sg
References:
[1] https://isc.sans.edu/diary/28870
-----------
Yee Ching Tok, Ph.D., ISC Handler
Personal Site
Mastodon
Twitter
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago