BleepingComputer published a report regarding a phishing kit being hosted on an official Nigerian government website and other sites. Researchers identified a DHL phishing kit being hosted on the Nigerian National Assembly (NASS) website. It appears to be a landing page that users would be directed to via a phishing campaign.
While investigating the phishing kit, multiple websites hosting the same malicious page were identified. Some of these sites are legitimate sites that have been compromised to host the kit while others appear to have been registered specifically for the purpose of phishing users.
MalwareHunterTeam, while looking further into the NASS domain, found that the DHL phishing kit was just one of many malicious pages that have been hosted on the domain in the past. If a user falls victim to the phishing attempt, their credentials are sent to the attacker, and an error message claims that their credentials are incorrect. Attackers are likely selling the obtained credentials on underground forums to turn a profit.
Although the scammers did a poor job impersonating the original DHL website, plenty of victims are likely to fall for the trick.
DHL phishing on Nigerian National Assembly’s website: https://nass.[gov].ng/fonts/wp/D2017HL/u.php— MalwareHunterTeam (@malwrhunterteam) 29 March 2019
It’s there for at least more than 2 weeks now, but looking at VT shows there were other phishing pages on this site before…
cc @nassnigeria pic.twitter.com/ztihB4V9lr
Indicators of Compromise
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.