Jump to content

- - - - -

Ironically, Phishing Kit Hosted on Nigerian Government Site

  • You cannot start a new topic
  • Please log in to reply
No replies to this topic

#1 Scorpion


    Advanced Member

  • Administrators
  • 96 posts
  • LocationScorpionsMaze

Posted 30 March 2019 - 06:06 PM

Those who remember earlier days of the internet are familiar with the “Nigerian Prince letter,” also known as the 419 scam. While that fraud typically runs from personal email accounts, another one uses an official Nigerian government website to host a phishing page for the DHL international courier service.

Nigeria has a large culture of fraud, which is defined in the country's criminal code at number '419,' under Chapter 38: Obtaining Property by false pretenses; Cheating," but this is ridiculous.

For over two weeks, the Nigerian National Assembly (NASS) site has been serving a fraudulent page that asks for DHL account credentials. This is just a landing location, most likely pushed through spam.

The phishing resource is "u.php" and it is present on multiple legitimate websites that have been hacked to host it as well as on domains that look like they've been registered specifically for DHL phishing purposes.

Below is a short list of the websites we found hosting the same DHL phishing page present on the Nigerian official website. The last two look like legitimate websites that have been compromised to include the malicious kit.


At the moment of writing, loading most of them triggered the "Deceptive site" warning in Chrome and Firefox, but not all of them have been indexed as unsafe, yet.

Security researcher MalwareHunterTeam found the phishing page on the NASS website and noticed a history of malicious URLs available on the official domain.

DHL phishing on Nigerian National Assembly's website: https://nass.[gov].ng/fonts/wp/D2017HL/u.php
It's there for at least more than 2 weeks now, but looking at VT shows there were other phishing pages on this site before...
cc @nassnigeria pic.twitter.com/ztihB4V9lr

— MalwareHunterTeam (@malwrhunterteam) March 29, 2019

MalwareHunterTeam says that the kit is an old one that dates since at least June 2017 and it is present on hundreds of websites. Some of the URLs no longer resolve, while others managed to escape detection of the anti-phishing protection in web browsers.

This is a years old phishing kit (least 2017 June), used by countless actors, countless times.
For example, @urlscanio alone has 657 submissions until now that loads the exact same picture that is used by this kit: https://t.co/ig9BGdFfXb pic.twitter.com/qBZ3WzzmpS

— MalwareHunterTeam (@malwrhunterteam) March 30, 2019

Although the scammers did a poor job impersonating the original DHL website, plenty of victims are likely to fall for the trick. A "Norton Secured" stamp is visible next to the DHL logo, there is a world clock showing the local time, an IP checker, and official imagery to inspire trust.

However, the web address, the absence of any links on the page, and the outdated footer copyright text should be clear signs of a scam.

The only fields present on the page are for entering the login data for the DHL account, which are sent to the fraudster while an error message pops up informing that the password may be incorrect.

No matter how many times credentials are submitted, there's the same outcome. Once they get them, cybercriminals can sell them on underground forums for as little as $10 apiece.

UPDATE: The article has been updated to include new information from MalwareHunterTeam and clarify that not all the websites on the short list we provided were registered specifically for phishing purposes.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users