Attackers breached a webserver hosted on the Telkom network and used it to host a phishing site made to look like the login page for Citibank in the US.
The server in question hosts 784 domains, according to DNSlytics. The domain hijacked for the phishing site is naphotography.co.za.
Visiting the domain results in a warning from your web browser, though the site’s home page gives no indication that it has been hijacked by phishers. It looks like a simple profile for a photographer.
URLScan.io confirms the domain has been compromised, pointing to a specific page that is being used for phishing. The page the phishers are actually using to harvest information from victims is called “Confirm.html”.
Harvesting private information by tricking people
Phishing is where attackers try to trick you into giving up your personal information — usually details like your usernames, passwords, and PIN codes.
The attackers then use this information to hack into your accounts, often with the aim of stealing money from your bank account.
If you give up your login credentials and banking PINs on phishing sites and your bank account then gets hacked, your bank will not take responsibility for the loss.
Hosted by Telkom
A lookup of naphotography.co.za reveals that it is hosted on a server with the IP address 126.96.36.199. The IP address belongs to Telkom.
This appears to be a shared hosting server used by several other domains, including netcare911.co.za, tfmc.co.za, and telkombusinessblog.co.za.
It should be noted that Netcare 911’s actual website is not hosted on this server. The Netcare 911 website is at www.netcare911.co.za. Netcare just doesn’t seem to be properly redirecting its bare domain (netcare911.co.za).
Artists Against 419 reported on Twitter that attempts to contact Telkom about the phishing site had failed.
“I tried calling the provider, but they were not helpful,” a security researcher told the organisation.
Attempts to report the attack site to the National Cybersecurity Hub also failed.
@TelkomZA Please explain why this stays up despite your being alerted? hXXp://naphotography[.]co[.]za/83d2/journal/citi/ #phishing
"I tried calling the provider, but they were not helpful." Shameful! Wake up! 188.8.131.52=TelkomZA@mybroadband @apwg @SAPoliceService
— Artists Against 419 (@aa419) October 3, 2019
Following MyBroadband’s query, Telkom said it investigated the issue and found that the attack pages were inserted on 3 October in a separate folder on its customer’s site.
“Our Technical team went on to delete the offending folder and webpages. They have further changed the password of the customer’s control panel used to manage the site and will engage the customer to provide new customers details. The main site is fine and shows no issues,” Telkom said.
It said that the attackers probably just brute-forced the website owner’s password, which allowed them to upload the phishing pages to the client’s website.
The webserver itself was not compromised, which means the other domains on it are as safe as the passwords Telkom’s clients set for them.
When asked where security researchers should report problems they find on Telkom’s network, the company said to use its [email protected] e-mail address, or call its contact centre.
Department of Communications — No comment
MyBroadband contacted the Department of Communications for comment regarding the problems with reporting security issues to the National Cybersecurity Hub. The department did not respond by the time of publication.