Hackers Employ the Telkom Network to Set up a Fake Citibank Website to Extract Login Data

Citibank Phishing Campaign

Last week, South African IT news outlet MyBroadband was alerted of a compromised website that was stealing login credentials from Citibank customers. The website's domain is naphotography[.]co[.]za, and it's owned by a photographer who apparently used a weak password for their hosting account.

After correctly guessing the login credentials, the hackers uploaded a phishing page that looked identical to Citibank's legitimate login form, and although the report doesn't say how victims were lured into giving away their usernames and passwords, we can presume that the crooks most likely used convincing-looking emails. Unfortunately, there's no information on how many people fell for the scam or what sort of damage (if any) has been done. On the bright side, the attack has now been reported, and thanks to Google's Safe Browsing blacklist service, most popular browsers won't even let you visit the breached website.

The unfortunate photographer is now facing the arduous task of removing the malicious page, de-listing their domain from the blacklists, and regaining some SEO positions which are inevitably lost in the aftermath of such an incident. Hopefully, all this hardship will teach them to be a bit more careful when picking their passwords next time.

Telkom with disappointingly slow reactions

Obviously, the aforementioned website's owner should take most of the blame for leaving themselves vulnerable to what has been reported in the media as a brute-force attack. That being said, when a phishing campaign is discovered, and especially when a compromised website is involved, there are other parties that also need to act. And this time, they simply didn't act quickly enough.

Immediately after discovering the malicious login page, researchers checked out the whois data for the breached website, and they found out that it was hosted on a server owned by Telkom. Telkom is one of Africa's biggest telecommunication providers. It was founded 28 years ago, and it's now operating in close to 40 African countries.

In other words, this is not a small hosting provider that is run out of a garage by a couple of aspirational teenagers. It's a large enterprise that should have the knowledge and resources to react appropriately to abuse complaints, especially when people's privacy and security are at stake.

People did try to get in touch with Telkom and have the hosting provider take the phishing page down, but the employees on the other end of the line were described as "not helpful". On October 3, an organization principally set up to find and report advanced fee scams called Artists Against 419 tweeted about the attack, and the malicious login form was finally brought down, but to say that people are disappointed with the lack of urgency demonstrated by Telkom would be an understatement.

Further investigation revealed that the photographer's portfolio was hosted on a shared server alongside hundreds of other websites. When the first reports came flooding in, nobody knew how the hackers had managed to get in or what sort of access they had. In the end, the damage for other Telkom customers and users was limited, but it could have been much worse, especially in light of the company's slow reactions.

Here's hoping that the South African telecommunication provider will also learn its lessons.

October 9, 2019

Leave a Reply