Credential Harvesting – Standard Bank UCount Rewards Attack
Over the past week we have seen increased Phishing attempts that look as real as ever. The J2 Cyber Security Centre team had countless requests to release these attachments. This was because the users were expecting these statements as they usually receive them around this time of the month.
In order to make sure that you do not become a victim we can provide further analysis of this attempt. The attack starts with an email showing you a statement summary of “rewards” pretending to be from Standard Bank.
The email contains an attachment which simulates a PDF statement. When the unsuspecting user opens the attachment, they are presented with a website that is a clone of the official Standard Bank website. This site says that the current rewards program website will be discontinued and the user must log in to make use of the new Bank Reward website.
If you followed these steps you would have landed up sending sensitive Card Number, PIN and password to the attacker, which could be sold in cyber underground market places or used to steal from your bank accounts.
The email attacks came from multiple sources and have different headers. This means that you won’t be able to blacklist just 1 sender/ IP. You need to ensure that your organisation is using a modern security platform with Targeted Threat Protection, such as Mimecast and compliment this with effective monitoring and User Awareness Training – all of which is required on an ongoing basis.
A Few Technical Recommendations
- Make sure you are inspecting and Validating SPF records of senders and make sure if they don’t validate make sure it blocked.
- When Whitelisting bank domain, we know it can be frustrating, but I would advise to make sure you whitelist correctly and not just trust the banks domain to send through emails. The best practice to prevent the domain from bypassing critical inbounds checks would be to create a strict policy to verify the senders mail servers and allow only those mail servers to be whitelisted on that domains policy.
- If you not sure what the sending servers are, a good start would be to check the SPF record as these show the authorized outbound servers.
Findings and further reading
- Analysing a SPF fail check.
If you have fallen for this, do not be embarrassed – this is the attackers full time job. Make sure you change all your login details also feel free to get in touch with us for more information and assistance.
Would your mail Security Provider have caught this?
- Hits: 279