Know thy enemies’ current techniques and ye shalt be more vigilant against evolving phishing tactics and tricks …
Throughout 2022, scammers masqueraded as postal service or telco representatives to lure victims in Singapore into divulging login credentials and bank account details.
Phishing emails typically centered around billing, package delivery or user account issues that created a sense of urgency but actually contained links to spoofed login pages and fraudulent websites.
Most of the phishing campaigns imitating Singapore Post used dedicated phishing domains. By investigating newly registered domains that include targeted words like “singapore,” “singpost,” or “sgp” and generic words such as “update”, “track”, and “post”.
The general public in Asia can gain a deeper understanding of phishing and thereby become more vigilant by understanding how the techniques worked so well in Singapore. used Here’s a breakdown of the phishing campaigns targeting Singapore Post.
Technique 1: Faux package delivery
Phishing domains were created regularly to use words spelled similarly to “singpost” to dupe potential victims.
For this campaign, users would encounter a landing page that claimed a package delivery had been suspended. They would then be asked to enter their name, full address, and phone number. Upon submission, the victim was directed to a second page asking for credit card details.
One interesting aspect about this particular phishing technique is that all the information collecting code is embedded within Javascript and contained a variable named “webpackChunkaupost”. It is suspected that the phishing kit used may also target Australia Post. WebpackChunk refers to a code-splitting function in the nodeJS Library Webpack; aupost would be Australia Post.
This multi-target behavior has been seen in some phishing threat actors concurrently targeting other national postal services.
Technique 2: Anti-analysis capabilities
The second phishing campaign method targeting Singapore Post can be found on IP 109.206.241[.]143, hosted by the US-based Delis LLC. The phishing sites have been hosted at this IP address since August 2022, with new ones still being added as of November 2022. In total, over 120 phishing domains have been hosted at this address, and based on collected data, Australia Post is also being targeted by this particular threat actor.
One interesting aspect of this campaign is the anti-analysis technique used. Each phishing link has the form of %phishing_domain%/e/authID=%random_letters%/, with the random letters specific to each phishing site. An error message is returned by the phishing site without a valid authID, preventing analysis of the phishing sites even when found, unless a valid link is available.
Technique 3: Anti-phishing measures
The third technique in phishing campaigns targeted at Singapore residents involves a single phishing site targeting Singapore Post, the German DKB bank, and the German Post Bank.
The purpose of the site is to trick victims into entering their credit card information. The initial landing page asks for delivery fees. But when victims enter their credit card information, a brief loading animation is followed by a page asking for a one-time password. Since a phone number was never entered, the victim will not have received an SMS message, and any value submitted to the OTP code box will return an incorrect code error.
An interesting feature of this campaign is that scammers have one site where newly registered domains are redirected to. This is different from the usual case where individual phishing sites are independent of each other. All of the redirector sites seen are hosted on 172.106.177[.]48 at a Linode LLC data center in Australia.
It is impossible to know exactly why the threat actors structured the campaign this way. We theorize that they are counting on the fact that the landing site is a shared web resource on a hosting service so it is not likely to be blocked by automated systems. Currently, only a fraction of anti-phishing systems classify this phishing site as malicious even though it has been ‘live’ for some time. The newly registered domains bypass any scanners or filters that may have blocked the older domains.
The domains redirecting to the phishing site act as a filter. Only “genuine” requests (that is, requests that actually contain the correct URL for the phishing site) will be directed to a malicious URL. All other requests are redirected to a legitimate domain such as Google or a banking site. This is likely intended to slow down discovery and analysis of the campaign.
Characteristics of Singtel phishing scams
Unlike Singapore Post phishing sites that use newly registered domains, currently active Singtel phishing campaigns use compromised WordPress domains.
Similar to the real Singtel websites, the fake login page has tabs for the firm’s login system for customers; and Singpass, the national identity system mobile app. However, the fake site pretends that it cannot generate a proper QR code, which is the quickest method by which customers can log in. Instead, an error message is displayed, prompting the user to use “other methods” to log in, specifically, using the genuine-looking login page that is offered onscreen.
When users enter their login credentials, they are presented with a second page asking for their credit or debit card info. Once card info has been submitted, a non-working dialog box for SMS verification appears, even in the case of login with an email address.
Readers in Singapore and in the region in general are reminded neither Singapore Post nor Singtel nor any legitimate service in the region will ever ask you for credit card or banking information through an email.
Rather than clicking on links from less trustworthy sources such as email and SMS, always visit a provider’s official website to verify urgent information or to log in.
