Xneelo Users Targeted in a Multi-stage Phishing Attack
<div>
<div>
<div>
<div>
<div>
<p>Found in Environments Protected by: Mimecast </p><p>Author: Olwen Brangan </p><p>Cofense Phishing Defense Center </p><p>The Cofense Phishing Defense Center discovered a multi-stage phishing campaign targeting customers from Xneelo, a South African web hosting provider who supports over 500,000 customers. Xneelo provides customers with two options of control panels to manage accounts: the Xneelo control panel and the older KonsoleH control panel. In this four-stage attack, threat actors attempted to obtain login details for the Xneelo control panel and Webmail credentials through a fake KonsoleH login page, as well as credit card information and SMS two-factor authentication (2FA) codes. </p><h2>Stage 1 – Xneelo Credentials </h2><p>Initially, the user is presented with an email as shown in Figure 1. Aspects of the email appear genuine: the spoofed email contains the Xneelo logo and Xneelo’s address and phone number. However, there are indicators at this stage which raise suspicion about the validity of this email. Of note is the generic greeting “Hello”, a tactic often used by threat actors, but not particularly unusual by itself. </p><p>Another red flag is the sense of urgency portrayed in the email. The user is strongly encouraged to click on the ‘Pay Now’ button. Failure to do so could result in the termination of services and deletion of hard drive content, leading to a full loss of data as they do not keep backups. This message is enforced using language such as “Please settle your account to avoid suspension of your service”, “deactivate” and “immediate” in bold. Note the payment due date is prior to the date of issue, implying an overdue payment, further enticing the email recipient to act quickly, although the requested amount due is R0.00. </p><p><img alt=” Figure 1 – Email Body” height=”1721″ src=”https://ep67mn3zn7v.exactdn.com/wp-content/uploads/2023/06/Figure1.png.WM.png?strip=all&lossy=1&resize=640%2C1076&ssl=1″ width=”1024″ /></p><p><em> Figure 1 – Email Body</em></p><p><img alt=”Figure 2 – Fake Xneelo login page” height=”663″ src=”https://ep67mn3zn7v.exactdn.com/wp-content/uploads/2023/06/Figure2.png.WM.png?strip=all&lossy=1&resize=640%2C561&ssl=1″ width=”757″ /></p><p><em> Figure 2 – Fake Xneelo login page</em></p><p>In Figure 2, we see the “Pay Now” button redirects the user to <br />hXXps://postingbank[.]wpengine[.]com/sudd/ where the fake Xneelo login page is located. This login page presents a message about signing up, however the ‘Sign Up’ button is not available. Logging onto Xneelo’s real website (https://xneelo.co.za/) shows a similar page with the actual ‘Sign up’ button beside the ‘Log in’ button. Omission of buttons or other details are red flags this email and page are suspicious. Spelling errors such as “Pyament” instead of Payment in Figure 3 are also red flags. </p><h2>Stage 2: Credit Card Data </h2><p>Once the user enters their Xneelo login credentials, a page requesting credit card information is presented (Figures 3 and 4). </p><p><img alt=”Figure 3 – Credit Card Information ” height=”663″ src=”https://ep67mn3zn7v.exactdn.com/wp-content/uploads/2023/06/Figure3.png.WM.png?strip=all&lossy=1&resize=640%2C561&ssl=1″ width=”757″ /></p><p>Figure 3 – <em>Credit</em> Card Information </p><p><img alt=”Figure 4 – User Agreement ” height=”550″ src=”https://ep67mn3zn7v.exactdn.com/wp-content/uploads/2023/06/Figure4.png.WM.png?strip=all&lossy=1&resize=640%2C480&ssl=1″ width=”734″ /></p><p><em>Figure 4 – User Agreement </em></p><p>To appear genuine, a consent list is included containing information from the real Xneelo website: the debit order date is the first working day of each month, the reference used on customers bank statements is MultiD and Xneelo does charge a fee of R50.00 for failed debit orders. </p><h2>Stage 3: SMS</h2><p>Having provided the malicious actors with login credentials and credit card information, users then are asked for an SMS code to verify their identity and click the ‘Activate my Domain’ button shown in Figure 5.</p><p>Phishing for 2FA codes is common. Threat actors use the stolen credentials to interact with the real website and prompt it to send such SMS codes to users. Once users input the code into to the phishing website, threat actors can use it to successfully log in as the users. </p><p><img alt=”Figure 5 – SMS ” height=”376″ src=”https://ep67mn3zn7v.exactdn.com/wp-content/uploads/2023/06/Figure5png.WM.png?strip=all&lossy=1&resize=640%2C327&ssl=1″ width=”737″ /></p><p><em>Figure 5 – SMS </em></p><h2>Stage 4: Webmail Credentials </h2><p>The fourth and final stage of this phishing campaign occurs when the user is directed to a webpage which spoofs the real KonsoleH webmail page (Figure 7). </p><p><img alt=”Figure 6 – KonsoleH Webmail Login ” height=”578″ src=”https://ep67mn3zn7v.exactdn.com/wp-content/uploads/2023/06/Figure6.png.WM.png?strip=all&lossy=1&resize=640%2C510&ssl=1″ width=”726″ /></p><p><em>Figure 6 – KonsoleH Webmail Login c</em></p><p>Once the user enters an email address and password, and clicks the ‘Webmail Login’ button, the malicious actors will obtain the users credentials. Access to webmail allows malicious actors to do a variety of tasks including importing or exporting email contacts, access emails that are on the mail server, set up an auto responder using the manage mailbox option, accessing emails from any computer with an internet connection and create new accounts. </p><h3>Indicators of Compromise: </h3> </div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<p>Found in Environments Protected by: Mimecast </p><p>Author: Olwen Brangan </p><p>Cofense Phishing Defense Center </p><p>The Cofense Phishing Defense Center discovered a multi-stage phishing campaign targeting customers from Xneelo, a South African web hosting provider who supports over 500,000 customers. Xneelo provides customers with two options of control panels to manage accounts: the Xneelo control panel and the older KonsoleH control panel. In this four-stage attack, threat actors attempted to obtain login details for the Xneelo control panel and Webmail credentials through a fake KonsoleH login page, as well as credit card information and SMS two-factor authentication (2FA) codes. </p><h2>Stage 1 – Xneelo Credentials </h2><p>Initially, the user is presented with an email as shown in Figure 1. Aspects of the email appear genuine: the spoofed email contains the Xneelo logo and Xneelo’s address and phone number. However, there are indicators at this stage which raise suspicion about the validity of this email. Of note is the generic greeting “Hello”, a tactic often used by threat actors, but not particularly unusual by itself. </p><p>Another red flag is the sense of urgency portrayed in the email. The user is strongly encouraged to click on the ‘Pay Now’ button. Failure to do so could result in the termination of services and deletion of hard drive content, leading to a full loss of data as they do not keep backups. This message is enforced using language such as “Please settle your account to avoid suspension of your service”, “deactivate” and “immediate” in bold. Note the payment due date is prior to the date of issue, implying an overdue payment, further enticing the email recipient to act quickly, although the requested amount due is R0.00. </p><p><img alt=” Figure 1 – Email Body” height=”1721″ src=”https://ep67mn3zn7v.exactdn.com/wp-content/uploads/2023/06/Figure1.png.WM.png?strip=all&lossy=1&resize=640%2C1076&ssl=1″ width=”1024″ /></p><p><em> Figure 1 – Email Body</em></p><p><img alt=”Figure 2 – Fake Xneelo login page” height=”663″ src=”https://ep67mn3zn7v.exactdn.com/wp-content/uploads/2023/06/Figure2.png.WM.png?strip=all&lossy=1&resize=640%2C561&ssl=1″ width=”757″ /></p><p><em> Figure 2 – Fake Xneelo login page</em></p><p>In Figure 2, we see the “Pay Now” button redirects the user to <br />hXXps://postingbank[.]wpengine[.]com/sudd/ where the fake Xneelo login page is located. This login page presents a message about signing up, however the ‘Sign Up’ button is not available. Logging onto Xneelo’s real website (https://xneelo.co.za/) shows a similar page with the actual ‘Sign up’ button beside the ‘Log in’ button. Omission of buttons or other details are red flags this email and page are suspicious. Spelling errors such as “Pyament” instead of Payment in Figure 3 are also red flags. </p><h2>Stage 2: Credit Card Data </h2><p>Once the user enters their Xneelo login credentials, a page requesting credit card information is presented (Figures 3 and 4). </p><p><img alt=”Figure 3 – Credit Card Information ” height=”663″ src=”https://ep67mn3zn7v.exactdn.com/wp-content/uploads/2023/06/Figure3.png.WM.png?strip=all&lossy=1&resize=640%2C561&ssl=1″ width=”757″ /></p><p>Figure 3 – <em>Credit</em> Card Information </p><p><img alt=”Figure 4 – User Agreement ” height=”550″ src=”https://ep67mn3zn7v.exactdn.com/wp-content/uploads/2023/06/Figure4.png.WM.png?strip=all&lossy=1&resize=640%2C480&ssl=1″ width=”734″ /></p><p><em>Figure 4 – User Agreement </em></p><p>To appear genuine, a consent list is included containing information from the real Xneelo website: the debit order date is the first working day of each month, the reference used on customers bank statements is MultiD and Xneelo does charge a fee of R50.00 for failed debit orders. </p><h2>Stage 3: SMS</h2><p>Having provided the malicious actors with login credentials and credit card information, users then are asked for an SMS code to verify their identity and click the ‘Activate my Domain’ button shown in Figure 5.</p><p>Phishing for 2FA codes is common. Threat actors use the stolen credentials to interact with the real website and prompt it to send such SMS codes to users. Once users input the code into to the phishing website, threat actors can use it to successfully log in as the users. </p><p><img alt=”Figure 5 – SMS ” height=”376″ src=”https://ep67mn3zn7v.exactdn.com/wp-content/uploads/2023/06/Figure5png.WM.png?strip=all&lossy=1&resize=640%2C327&ssl=1″ width=”737″ /></p><p><em>Figure 5 – SMS </em></p><h2>Stage 4: Webmail Credentials </h2><p>The fourth and final stage of this phishing campaign occurs when the user is directed to a webpage which spoofs the real KonsoleH webmail page (Figure 7). </p><p><img alt=”Figure 6 – KonsoleH Webmail Login ” height=”578″ src=”https://ep67mn3zn7v.exactdn.com/wp-content/uploads/2023/06/Figure6.png.WM.png?strip=all&lossy=1&resize=640%2C510&ssl=1″ width=”726″ /></p><p><em>Figure 6 – KonsoleH Webmail Login c</em></p><p>Once the user enters an email address and password, and clicks the ‘Webmail Login’ button, the malicious actors will obtain the users credentials. Access to webmail allows malicious actors to do a variety of tasks including importing or exporting email contacts, access emails that are on the mail server, set up an auto responder using the manage mailbox option, accessing emails from any computer with an internet connection and create new accounts. </p><h3>Indicators of Compromise: </h3> </div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
Indicators of Compromise
IP
hXXps://postingbank[.]wpengine[.]com/sudd/
34.173.203.221
</div>
<p>The post <a href=”https://cofense.com/blog/xneelo-users-targeted-in-a-multi-stage-phishing-attack/” rel=”noreferrer” target=”_blank”>Xneelo Users Targeted in a Multi-stage Phishing Attack </a> appeared first on <a href=”https://cofense.com” rel=”noreferrer” target=”_blank”>Cofense</a>.</p>
Article Link: Xneelo Users Targeted in a Multi-stage Phishing Attack | Cofense
1 post – 1 participant
About The Author
