To be honest I didn’t know this bank. Today Matrix identified these two threats and so I did a little research into who they are. It is a bank based in the United Arab Emirates.
Looking at the wio.io website the first thing that struck me was that in the management section they don’t have a head of security.
There will probably be someone on the CEO or CTO’s staff, however I would give them more prominence π
The domains involved in the attack are:
- baeseters-wio[.]com
- baeselers-wio[.]com
- olabngsqwrxs[.]com
The domains baeseters-wio[.]com and baeselers-wio[.]com were registered a few hours ago.
The domain olabngsqwrxs[.]com was registered several days ago. I believe this domain is also used by other phishing site to collect stolen information.
The graphics of the site are quite similar to the original, too bad an idiot wrote “forggot”.
The kit is made up of two files, one (css.zip) which contains the graphic files and the information collection logic, the second (gate.zip) which receives the stolen information from the css/main.php page and sends it to olabngsqwrxs.com domain which presents a landing page when the subdirectory contains php files suitable for receiving the stolen information.
This site also uses techniques to avoid being tracked once online (default pages without content) too bad for them the Matrix agents are extremely efficient π
UPDATE π
More information on this LinkedIn post: https://www.linkedin.com/feed/update/urn:li:activity:7188217526160420865/
eca's blog 