After yesterday’s post that opened our 2024 Cyber Smart Week series, it only seems fitting to continue with something that many New Zealanders will be familiar with.
Since at least late-2019, the most prominent phishing template that we have regularly seen has been car registration renewals that leverage the brand of Waka Kotahi NZ Transport Agency. Seen being distributed both through email and SMS, the numerous and frequently rampant campaigns have been reported by hundreds of thousands of New Zealanders – some of whom have fallen victim and lost life savings to them.
For such a long-lived and widely distributed lure to remain viable, it has been updated over time, keeping it relevant and introducing improvements to the underlying phishing kit. In this post we’ll look at the evolution of the NZTA registration phish and analyse a recent campaign.
Historic Templates
While the approach of the email templates has not changed, some of the minor details of them have. For example:
- Shift from “NZ Transport Agency”, to “Waka Kotahi NZ Transport Agency” (2022), to “NZ Transport Agency Waka Kotahi” (2024).
- Inclusion of logos and official brand colours.
- Slight changes in layout and design, including columns and link buttons.
The design and functionality of the phishing kit itself has remained largely unchanged, only seeing minor changes such as different log output options.
Samples
December 2021:
February 2022:
April 2023:
September 2023:
January 2024:
Campaign Analysis
Identified on 20th October 2024, the following campaign was received by several users at a customer. Thankfully, there were no victims, and we were afforded the opportunity to analyse it.
The User Experience
The email template is very similar to the one first seen in January. No images are embedded, and text formatting is used to resemble the logo. Despite what the text says, all links go to the same place:
Clicking the link opens the default browser to the phishing kit, hosted in a subdirectory of a compromised website:
After entering a plate number and selecting the renewal period, the user is presented with accurate details of the vehicle:
Following the table is a summary of the renewal cost, and an option to proceed to payment or cancel. A detail to note here is that the page is dated 2021, where the legitimate page is current:
Should the user choose to proceed, they’re presented with a standard payment form:
Obviously, submission of credit card data would be captured in a log or sent to an external service like Telegram.
A spinning padlock icon sits on the loading page for a moment:
Before finally landing on a 3DS page specific to the card issuer, which requests additional information to help the operators navigate potential challenges encountered when abusing the submitted card:
Inside the Kit
Due to a lapse in operational security by the kit operator, we were able to access all server-side artifacts.
At the root of the deployment directory is an .htaccess file, used to rewrite friendly paths to specific files (e.g., VehicleLicenceEntry/ loads transact.php), and geofence the kit to NZ residential and commercial IP addresses:
Foreign visitors are presented with a 403 HTTP response (access denied), as are most NZ VPN nodes.
Core to the kit is its configuration, which defines the parameters for logging submissions. In this case, it’s a Telegram bot key and several channel ID’s:
While the config can also be used to constrain visitors by geolocation, the .htaccess file already addresses this with a more sledgehammer approach.
Submissions to the page are posted to “post/step1.php”, which drops a notification in the “BOT_CHAT_LOG” channel:
The script also invokes the “get_plate_info” function found in functions.php, which makes a call out to NZTA’s “Tolling Online” API to retrieve the vehicle details for the submitted plate:
If the results of both the Telegram submission and plate request are successful, the user is directed to the “VehicleInformation” (step2.php) page. This page renders the serialized result of the “get_plate_info” response and links the user to “PaymentGateway” (pay.php).
A trap for adventurous admins and analysts, the payment page first logs the IP of all visitors to a local file, “cc-visit.txt”:
jQuery validation libraries validate form input and, if valid, permit postback. Based on the residual ASP.NET element names and properties, it is quite apparent that the page was constructed using a clone of the source:
Like “post/step1.php”, “post/step2.php” also posts the form data to a Telegram channel:
The function “is_local_bin” is called to validate the first 6 digits of the card number (the Bank Identification Number/BIN) indicate that the card was issued by a New Zealand bank:
This relies on a web service, lookup[.]binlist[.]net:
Following successful validation of the bin and submission to Telegram, the bank name and card type are stored as session variables, and the user is redirected to the “loading” (payment_loading.php) page. This first queries the kit config for the appropriate time to wait:
Then redirects to the 3DS capture for the card issuer:
The kit is bundled with templates for the main New Zealand banks:
Looking at Kiwibank as an example, all the images necessary to emulate a Kiwibank 3DS request are included:
These brand a page that collects the access number, date of birth and phone number of the user – as seen above:
The collected information varies between banks.
Response Options
- Help staff keep up to date with the latest NZTA scams. New Zealand news sites such as Stuff also tend to relay any media releases that NZTA and other government agencies publish about scams that affect them.
- More broadly, there is no single best resource for emerging phishing. While a lot is kept within cybersecurity trust groups, X/Twitter can still be a great resource using a list like this one that I maintain.
- Feel welcome to share some of the samples that have been provided in this blog post. Ensure you’ve set up a reporting function within your organisation and share new observations with your staff. Reward those who take the time to report phishing to you.
- Promote awareness of DIA and CERT NZ reporting options. Remember:
COMMENTS