First published: 08th May 2017
Customers of Hong Kong's largest ISP, PCCW Netvigator are being targetted by emails that claim their credit card autopay has been rejected and that directs them to a webpage, hosted in Hong Kong, that collects credit card information.
The email uses Netvigator's corporate branding and appears to be sent from the plausible-sounding address "email@example.com", although the domain team-netvigator.com does not exist. The message was sent via a German webmail service, online-service.de.
The link in the message, mail.isee.com.hk:32000/mail/admin/goto.html is hosted on a webmail service in Hong Kong that appears to be running the Merak Mail Server, Web Administration Version: 7.6.4 by IceWarp Software. That page redirects to mail.worldwidegroup.com.hk:32000/mail/accounts/Netvigator/CIC.htm?cron=9e82f2bdf885845bff56c1cf3c4797b2, which is also hosted on a server in Hong Kong running the same Merak Mail Server software. It may be that the German webmail service is running software based on the Merak Mail Server, and the attackers used a single vulnerability to break into all three servers.
The form, which also uses Netvigator branding, asks for the victim's name, Hong Kong ID card number, date of birth, email address, credit card issuer, credit card number, expiry date and CVV. The date is posted to Tekvew/nudnayd.php on the same server.
Netvigator has issued advice on phishing emails.
Yui Kee's Chief Consultant,Allan Dyer, commented, "The attackers have taken some care to make their message as believable as possible, with a plausible fake email address and the expected corporate branding. However, the authorities should be able to shut down the Hong Kong servers promptly, minimising the damage."
Victims should contact the Police at 2860 5012.
Updated: 10th May 2017
Netvigator Phishing Campaign Continues
More emails targetting Netvigator customers have been received. They appear identical to the earlier messages, but link to a different Hong Kong webpage, mail.kwanming.com.hk/freebusy/Netvigator/index.php, that also asks for the victim's personal and credit card data. The sending mail server appears to be in Switzerland.