Throughout 2022, threat actors have been masquerading as the postal service Singapore Post (SingPost) and Singtel, one of Singapore’s leading telecommunications companies. Victims are being targeted by phishing emails that appear to be from Singapore Post or Singtel. In these emails, users were sent messages informing them of fake billing issues or outstanding payments with links to fraudulent websites that asked for their personal information.

In Asia, The Cyber Security Agency of Singapore reported about 47,000 unique Singapore-hosted phishing URLs (with a “.SG” domain) were observed in 2020, a slight decrease of 1% compared to 47,500 URLs seen in 2019. Globally, 2020 saw a surge in COVID-19-related phishing campaigns.

In Singapore, the overall volume of malicious phishing URLs remained comparable to the figures seen in 2019. COVID-19 themes very likely accounted for over 4,700 of malicious URLs spoofing local entities and services that were in greater demand during Singapore’s circuit breaker period, which included online retail and payment portals.

A breakdown of the Singapore Post phishing campaigns

Most of the phishing campaigns imitating Singapore Post use dedicated phishing domains. By investigating newly registered domains that include targeted words like “singapore,” “singpost,” or “sgp,” I was able to identify infrastructure and additional phishing domains. As part of this pivot, I also found generic words, such as “update,” “track,” and “post,” also being used in other domains.

Here’s a breakdown of the phishing campaigns targeting Singapore Post.

• First campaign: Faux package delivery
  The first campaign appeared around mid-October and is hosted on Singaporean ISP Nexus Bytes at IP 139.64.239[.]108. New domains, which all use words spelled similarly to “singpost,” have been added regularly since then.
  
  For this campaign, users will encounter a landing page that claims a package delivery has been suspended. They will then be asked to enter their name, full address, and phone number. Upon submission, the victim is taken to a second page that asks them to share their credit card details.
  
  One interesting aspect about this particular phishing site is that all the information-collecting code is embedded within Javascript, where I found a variable named “webpackChunkaupost.” I suspect that the phishing kit may also target Australia Post. WebpackChunk refers to a code-splitting function in the nodeJS Library Webpack; “aupost” would be Australia Post. This multi-target behaviour is seen in some phishing threat actors who would concurrently target other national postal services such as the United States Postal Service and the Australia Post.
  
• Second campaign: Anti-analysis capabilities
  The second campaign targeting Singapore Post can be found on IP 109.206.241[.]143, hosted by the US-based Delis LLC. The phishing sites have been hosted at this IP address since August 2022, with new ones still being added as of November 2022. In total, over 120 phishing domains have been hosted at this address, and based on collected data, Australia Post is also being targeted by this particular threat actor.
  
  One interesting aspect of this campaign is the anti-analysis technique used. Each phishing link has the form of %phishing_domain%/e/authID=%random_letters%/, with the random letters specific to each phishing site. An error message is returned by the phishing site without a valid authID, preventing analysis of the phishing sites even when found unless a valid link is available.
  
• Third campaign: Imitating SingPost and German banks
  The third campaign resides on a single phishing site targeting Singapore Post, the German DKB bank, and the German Post Bank. The purpose of the site is to trick victims into entering their credit card information.
  
  The initial landing page asks for delivery fees. But when the user enters their credit card information, a brief loading animation is followed by a page asking for a one-time password (OTP). Since a phone number was never entered, the victim won’t have received an SMS message, and any value submitted to the OTP code box will return an incorrect code error.
  
  An interesting feature of this campaign is that they have one site where newly registered domains are redirected to. This is different from what we usually find, which is the standing-up of individual phishing sites that are independent of each other. All of the redirector sites seen are hosted on 172.106.177[.]48 at a Linode LLC data centre in Australia.
  
  It’s impossible to know exactly why the threat actors structured the campaign this way. I theorise that they are counting on the fact that the landing site is a shared web resource on a hosting service so it’s not likely to be blocked by automated systems. Currently, only a fraction of anti-phishing systems classify this phishing site as malicious, even though it’s been live for some time. The newly registered domains bypass any scanners or filters that may have blocked the older domains.
  
  The domains redirecting to the phishing site act as a filter. Only “genuine” requests (i.e., requests that actually contain the correct URL for the phishing site) will be directed to a malicious URL. All other requests are redirected to a legitimate domain such as Google or a banking site. This is likely intended to slow down discovery and analysis of the campaign.

Singtel phishing campaigns: takeover of compromised WordPress domains

Unlike the Singapore Post phishing sites that use newly registered domains, currently active Singtel phishing campaigns use compromised WordPress domains. Similar to the real Singtel websites, the fake login page has tabs for OnePass, the company’s login system for customers, and Singpass, its mobile app.

However, the fake site pretends that it can’t generate a proper QR code, the quickest method by which customers can login. Instead, an error message is displayed, prompting the user to use “other methods” to log in, specifically a login page is displayed.

When users enter their login credentials, they are presented with a second page asking for their credit or debit card info. Once card info has been submitted, a non-working dialog box for SMS verification appears, even in the case of login with an email address.

Stay vigilant against phishing threats

Phishing is one of the most common and effective cyberattacks that scammers deploy. Mainly because it’s cheap to create. Any attacker can buy off-the-shelf kits off the dark web. Even if only a small percentage of users fall for the scam, a campaign can create significant profit for the attacker.

Phishing sites may look legitimate, but users should be vigilant to avoid having their credentials stolen. Neither Singapore Post nor Singtel will ever ask you for credit card or banking information through an email. You should always visit a provider’s official site before logging in rather than clicking on links from less trustworthy sources such as email and SMS.