Investigation into PostalFurious: a Chinese-speaking phishing gang targeting Singapore and Australia

What this guide covers

Phishing attacks are becoming ever more sophisticated and their scale is increasing exponentially. The automation of many processes and the growing popularity and accessibility of phishing kits over recent years has made it much easier for cybercriminals to set up fraudulent infrastructure to steal user credentials, bank card details, addresses, OTP codes, IP addresses, and other sensitive information.

Investigating a phishing campaign is not a straightforward process. Typically, the investigation aims to discover and map out the phishing infrastructure, identify, and gather as much information as possible about the individuals behind the phishing operation (the developer of the phishing kit, the threat actors who purchased/rented and used the kit for fraudulent purposes), uncover the victims to determine the extent of the damage, and pass along the information to relevant law enforcement organizations.

There are a few approaches to investigate a phishing campaign efficiently. In this article, we will present a practical guide based on the investigation into a Chinese-speaking phishing campaign that was observed in July 2022. The campaign was carried out by a phishing gang named PostalFurious by Group-IB. The campaign targeted users in APAC, specifically in Singapore, Australia, and some other countries by impersonating postal and, to a lesser extent, toll operators.

As discovered by Group-IB’s Cyber Investigations Team in the Asia Pacific, PostalFurious has been active since at least 2021. The name PostalFurious was coined from the group’s tactics to impersonate postal brands as well as their ability to quickly set up large network infrastructure, which they also change quite frequently to avoid detection by security measures. It all makes the group an excellent candidate for our guide.

Who may find this guide helpful:

• Cybersecurity newcomers who are taking their first steps in the field
• Cybersecurity analysts and corporate security teams
• Threat Intelligence specialists
• Private cyber investigators
• Computer Emergency Response Teams

Examination of primary indicators: Smishing

This particular phishing campaign starts with a scam text message, also known as Smishing. Usually, these SMS messages contain the name of a well-known brand and a shortened URL to lure victims into following the link. In this scenario, PostalFurious informed a recipient of a failed delivery attempt. The threat actors leveraged shortened URLs to obscure the true malicious landing page to keep victims unaware. Once a user clicks on the shortened URL, they are redirected to a phishing website where the URL seems to be visually similar to legitimate websites.

There are several ways to tell if an SMS you receive is a smishing attempt.

1. The SMS comes from an unusual number or the sender’s name is a variation of the original brand name which is impersonated
2. The message contains a shortened URL which redirects users to a domain that is not a legitimate website. Among the red flags are inactive buttons, links that do not work, and/or spelling & grammatical errors
3. The message or the phishing page demands immediate payment or asks for payment/personal details

An example of an SMS sent by PostalFurious can be found below:

To increase the attack surface, the scam SMS has to be sent to a large group of people to improve the odds of a victim falling for the phishers’ ploy. This can be achieved by using an SMS blaster or a bulk SMS service provider.

If the sender ID appears as a phone number, it is possible to get information about the carrier and investigate with the assistance of telecom providers to find out what service is being used in order to get additional details about the threat actors’ infrastructure.

If the SMS contains a phishing link, we can investigate the phishing website to find out further information about the threat actors. The analysis of one of PostalFurious’ phishing websites used in the July campaign is presented in the following section.

Down the rabbit hole: phishing website

In this example, we will outline how this phishing campaign involved a fake website bearing the impersonated postal company’s logo and website design to convince the users that they are visiting a legitimate website. The phishing URL has been specifically selected to mimic the real brand’s web address. The website informs the user about a failed delivery and requests a “fee” to arrange redelivery.

In some cases, the threat actors use a more sophisticated approach – making a phishing website visible to specific audiences, based on their device’s language and type, geolocation, time, etc. This serves as a deterrence against unintended users visiting phishing websites and complicates the detection by automated security solutions.

The source code of the investigated PostalFurious’ website has a function responsible for allowing access to users visiting from mobile devices and redirecting others to a YouTube video of the song “Hot Rod” by the US indie-pop band Dayglow.

Let’s get back to the front end of the phishing page. If a user clicks on the payment button, their credit card information is requested:

PostalFurious also request an OTP from the victim by showing them a fake OTP request form:

In this scheme, an automatic attempt to log into the victim’s banking application is initiated on the threat actor’s device. The OTP is sent to the victim by the bank for this purpose.

In general, a similar fraudulent scheme can lead to one of the following scenarios:

1. Theft of bank card details and OTP necessary for making payments
2. Paid subscription could be linked with the bank card to guarantee regular charges
3. The stolen information can be used to access the victim’s banking application.

Inside the Phishing Infrastructure

Analyzing a phishing website’s domain and IP address can reveal other resources that belong to the same threat actor. By looking up WHOIS information of the IP address or domain of the phishing website, we can get the name of the hosting provider and the domain registrar information. WHOIS information usually contains the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system.

Phishing sites can be hosted on bulletproof hosting infrastructure, cloud infrastructure, or by any other hosting provider. In the case of bulletproof hosting, the providers are lenient about what can be hosted on their servers and ignore abuse requests. The information that the threat actors provide, such as name, organization name, email address, and phone number for domain registration, is not verified by the hosting service. However, it still could be used for correlation purposes if it is not hidden by the registrar.

Domain analysis based on the registrant’s information can often lead to the discovery of affiliated phishing domains targeting other brands, as well as additional valuable information such as other email addresses and names used by the same threat actor and even their admin panels. Such information may also assist the investigators to deanonymize the threat actors.

Reliable links between domains could be built based on the same IP addresses (provided that web-hosting services and other shared infrastructure are not utilized), SSL certificates, and the same registrant information (if it doesn’t belong to the registrar).

In the example from PostalFurious’ July campaign outlined above, we discovered that the phishing domain was registered by specifying the name of Tamara Holmes. Using Group-IB’s patented Graph Network Analysis tool, we were able to identify other phishing domains registered under the same name and using the same contact details. For this particular campaign, PostalFurious set up more than 20 phishing websites in late June – early July 2022.

Additionally, the graph revealed email addresses and some Chinese-related contact details used for domain registration. A phone number with the China country code (+86), an address, and a Chinese name spelled in Hanyu Pinyin (official romanization system for Standard Mandarin Chinese) are marked with red rectangles in the picture.

All newly discovered information, such as the source code of these domains, was then analyzed by Group-IB investigators to attempt to identify the phishing kit and admin panels hosted on these domains.

More data from Source Code Analysis

The source code of the phishing website can tell an investigator several meaningful pieces of information such as the language used by the threat actor, the framework used by the phishing website, and the directory structure of the fraudulent resources.

In the case of the PostalFurious July campaign, the examination of the source code showed that many comments were written in Simplified Chinese. The Chinese comments briefly described which page the user would be redirected to if the conditions were met.

Following the links discovered in the source code, misconfigurations of the websites could be unveiled. This usually allows us to receive more information about the threat actors as well as the phishing kit they use.

Anatomizing the Phishing Kit

To automate and streamline their phishing operations, cybercriminals often use phishing kits — a set of templates and scripts that allows even those with little programming experience to create multiple phishing pages quickly. Because of the ease of convenience, threat actors can create phishing pages at a massive scale quickly, creating difficulties for investigators seeking to keep track of the phishing domains and complicating blocking efforts. An example of the source code of an installer for PostalFurious’ phishing kit is shown below. As can be seen, the Laravel PHP framework was used to build this kit.

To find a phishing kit used to set up phishing pages, an investigator can take the following steps:

1. Scan the resource for open directories and analyze their contents. Sometimes phishing kits are available right there.
2. Search for the posts on dark web forums that offer phishing kits designed for the brands affected in the investigated campaign and analyze them.
3. Use unique strings from the source code to search through the resources that aggregate potentially malicious files for analysis. VirusTotal and other public sandboxes as well as commercial threat intelligence solutions can help here.

The screenshot below shows different configuration files of the phishing kit utilized in the PostalFurious’ campaign.

The examination of the phishing kit can reveal further details about the threat actors. For instance, cybercriminals sometimes edit the type of information to steal from the victims and the destination where the stolen victim data will be sent. Popular phishing kits often specify the contact details of the author in the configuration files. The possible ways of sending intercepted credentials are:

• Email
• Locally on the server
• To another server
• To Telegram bots

In the investigated campaign, the victim’s data was sent locally to the database hosted on the server.

An example of the stolen data is presented below:

In the investigated phishing campaign, the threat actor most likely used a unique custom phishing kit, as we have not discovered its traces anywhere else in the wild at the time of writing. In general, phishing kits are advertized by developers on dark web forums and marketplaces or Telegram groups. If they are not, an investigator can also monitor the sale of victims’ personal data, credit card information as these would usually be obtained via phishing methods.

A phishing kit also allows an investigator to understand how the phishing campaign is set up and configured. Most importantly, it provides us with information on how the victim’s data is sent back to the threat actor. For deanonymization purposes, you can process this information using OSINT (Open Source Intelligence) methods or Threat Intelligence platforms that have dark web search and correlation capabilities.

If the threat actors develop a phishing kit for themselves, they will process the compromised data on their own. Should they sell it on dark web forums, then the users of the phishing kit and the developer will be different people. Once the developer of the phishing kit is traced, an investigator would be able to find out who had bought the phishing kit. In the investigated campaign all discovered information about the threat actors was provided to the relevant law enforcement organizations and are not disclosed in this guide.

Discovery of Admin Panel

A threat-actor-controlled admin panel is a dashboard that provides insight into the campaign and its victims. One of the different ways to find the type of admin panel in use is through the phishing kit. In this case study, the file admin.php indicated that the Dcat Admin panel was used and showed the path of the admin panel.

Dcat Admin is based on Laravel admin which is an interface builder for Laravel, an open-source PHP framework that allows a user to quickly build a fully functional backend system with little code. The admin panel is popular among Chinese-speaking cybercriminals and has an interface in Chinese.

Scanning for open directories and analyzing the source code can help to reveal misconfigurations of the server which can leak some information from the admin panel. What appears to be the main page of the admin panel in the PostalFurious campaign presents general statistics about visitors, devices, and the so-called orders:

We assume that “new users” and “sessions” reflect the number of visitors to all threat-actor-controlled phishing websites. The number most likely includes non-human visits by scanners and bots.

PostalFurious’ phishing pages were live, on average, for 2-5 days. We assume that the screenshot below reflects the statistics for one of their phishing websites. The page was visited by at least 979 people while it was live. It’s not entirely clear how many users submitted their payment records, but we can only assume that 81 stands for the number of visitors who submitted their payment records and were checked by the threat actor as valid. Most of the victims of the campaign in question were from Singapore and Australia.

Group-IB investigators discovered several phishing templates designed by PostalFurious to impersonate delivery brands from the Asia-Pacific region and other countries. As can be seen from the screenshot below, in their July campaign, PostFurious used at least three templates to impersonate delivery brands from Singapore, Australia, and France. However, Group-IB investigators have not detected live phishing pages targeting France.

Conclusion

The deanonymization of threat actors can be accomplished through the analysis of different elements of their infrastructure. However, it is worth noting that different stages of a phishing campaign can involve multiple members of the cybercriminal group. As a result, identifying all the members of a phishing operation quickly can be challenging.

It’s important to provide all relevant law enforcement organizations with the information about the threat actors, their phishing infrastructure, and indicators from the phishing kit. This will help to facilitate the investigation, and if the information is sufficient, could result in the arrest of the threat actors to prevent more damage to regular users and impersonated brands.

To move the investigation further, local authorities can request information from telecom, hosting providers, and domain registrars based on the indicators of the phishing infrastructure. If the victimology is known, the local authorities of different countries could work together to gather more actionable information to bring the perpetrators to justice.

As for the investigated campaign, Group-IB notified all impersonated brands and shared all the relevant information about the creators of the phishing kit, and the support team of PostalFurious’ identified phishing infrastructure with the corresponding law enforcement agencies.

Recommendations

For Users

1. Verify the source. Phishing emails or SMS messages are designed to look like legitimate messages from banks, credit card companies, or other organizations. Do not rush to submit your personal information. Find the company’s official website, look for reviews, and call customer support. It’s always better to confirm the credibility of the source.
2. Examine the URL. Phishing sites have visually similar URLs. This technique is known as typosquatting, where the URL is a misspelling of the targeted brand’s domain.
3. Check for HTTPS and SSL Certificate. It might sound too advanced, but you should be looking for a lock sign in the address bar, which means that the website is using an encrypted connection and is secured with an SSL certificate. Even though more and more phishing sites have started to use HTTPS, this along with other checks will help you distinguish phishing websites efficiently
4. Inspect the website’ content. If the website is demanding too much personal information, especially credit card information, it’s better to consider whether these are necessary. Check for the quality of the content as phishing websites tend to have lower resolution, missing information, or broken links.
5. Think twice before you pay. If you didn’t expect any invoice from the mentioned services via SMS message, try to check this by other means, such as checking your personal account for this service.

For Businesses

1. Scammers usually impersonate legitimate brands. Brand owners should proactively monitor for and block scam and phishing websites upon detection. Group-IB’s Digital Risk Protection solution, part of the Unified Risk Platform, can reveal fraudulent infrastructure at early stages and initiate the takedown process.
2. Scammers who steal bank cards need to monetize this data. If they try to log into a banking portal that uses Group-IB’s Fraud Protection, this attempt will be flagged to a bank’s anti-fraud unit. Group-IB Fraud Protection analyzes user behavior. This analysis provides an opportunity to identify behavioral anomalies and prevent fraud, reducing the cost of additional transaction verifications or eliminating the consequences of fraud.
3. The most effective way to stop cybercrime is to identify the perpetrators and bring them to justice. In line with Group-IB’s long-standing mission of fighting cybercrime, the company’s  Cyber Investigations team has conducted over 1,000 successful investigations all around the world helping private companies and international law enforcement organizations to combat advanced digital crimes.