How Scammers Are Impersonating Singapore Post and Singtel With Phishing Messages

Throughout 2022, threat actors have been masquerading as the postal service Singapore Post (SingPost) and one of Singapore’s leading telecommunications companies Singtel. Victims are being targeted by phishing emails that appear to be from Singapore Post or Singtel. 

In these emails, users were sent messages informing them of fake billing issues or outstanding payments with links to fraudulent websites that asked for their personal information. According to The Straits Times, as of November 2022, at least 85 people have lost around $237,000 because of these scams. 

While these scams have been widely reported by multiple outlets including The Independent, the threat actors and their methods have not been scrutinized in public. In this blog, I’ll break down my findings and ways you can protect yourself or corporation from phishing attacks. 

A breakdown of the Singapore Post phishing campaigns

Most of the phishing campaigns imitating Singapore Post use dedicated phishing domains. By investigating newly registered domains that include targeted words like “singapore,” “singpost,” or “sgp,” I was able to  identify infrastructure and additional phishing domains. As part of this pivot, I also found generic words, such as “update,” “track,” and “post,” also being used in other domains.

Here’s a breakdown of the phishing campaigns targeting Singapore Post. 

First campaign: Faux package delivery

The first campaign appeared around mid-October and is hosted on Singaporean ISP Nexus Bytes at IP 139.64.239[.]108.  New domains, which all use words spelled similarly to “singpost,” have been added regularly since then. 

For this campaign, users will encounter a landing page that claims a package delivery has been suspended. They will then be asked to enter their name, full address, and phone number. Upon submission, the victim is taken to a second page that asks them to share their credit card details.

One interesting aspect about this particular phishing site is that all the information collecting code is embedded within Javascript, where I found a variable named “webpackChunkaupost.” I suspect that the phishing kit may also target Australia Post. WebpackChunk refers to a code-splitting function in the nodeJS Library Webpack; aupost would be Australia Post. This multi-target behavior is seen in some phishing threat actors who would concurrently target other national postal services such as the United States Postal Service (USPS) and the Australia Post.    

Indicators of compromise (IOCs):

singpost-vip[.]shop

singpot-mem[.]net

singpost-vip[.]com

singpost-info[.]shop

singpost-member[.]com

singpoost[.]com

‍

Second campaign: Anti-analysis capabilities

The second campaign targeting Singapore Post can be found on IP 109.206.241[.]143, hosted by the U.S.-based Delis LLC. The phishing sites have been hosted at this IP address since August 2022, with new ones still being added as of November 2022. In total, over 120 phishing domains have been hosted at this address, and based on collected data, Australia Post is also being targeted by this particular threat actor.

One interesting aspect of this campaign is the anti-analysis technique used. Each phishing link has the form of %phishing_domain%/e/authID=%random_letters%/, with the random letters specific to each phishing site. An error message is returned by the phishing site without a valid authID, preventing analysis of the phishing sites even when found unless a valid link is available.

Example IOCs:

sgpt-update[.]cc

updts[.]at

postjapan[.]net

update-id8154[.]com

auspost-au[.]net

singupdate[.]cc

auspost-tracking[.]cc

trackpost[.]me

new-tracking[.]com

trackingid9175[.]one

singpt-update[.]net

singpt-info[.]cc

singpt-update[.]com

Third campaign: Imitating SingPost and German banks

The third campaign resides on a single phishing site targeting Singapore Post, the German DKB bank, and the German Post Bank. The purpose of the site is to trick victims into entering their credit card information. 

The initial landing page asks for delivery fees. But when the user enters their credit card information, a brief loading animation is followed by a page asking for a one-time password (OTP). Since a phone number was never entered, the victim won’t have received an SMS message, and any value submitted to the OTP code box will return an incorrect code error.

An interesting feature of this campaign is that they have one site where newly registered domains are redirected to. This is different from what we usually find, which is the standing-up of individual phishing sites that are independent of each other. All of the redirector sites seen are hosted on 172.106.177[.]48 at a Linode LLC data center in Australia.

It’s impossible to know exactly why the threat actors structured the campaign this way. I theorize that they are counting on the fact that the landing site is a shared web resource on a hosting service so it's not likely to be blocked by automated systems. Currently, only a fraction of anti-phishing systems classify this phishing site as malicious even though it’s been live for some time. The newly registered domains bypass any scanners or filters that may have blocked the older domains.

The domains redirecting to the phishing site act as a filter. Only “genuine” requests i.e. requests that actually contain the correct URL for the phishing site will be directed to a malicious URL. All other requests are redirected to a legitimate domain such as Google or a banking site. This is likely intended to slow down discovery and analysis of the campaign.

Example IOCs:

singpost-sg[.]xyz (redirector)

singpost-sg[.]online (redirector)

next-pay[.]online (redirector)

next-pay[.]xyz (redirector)

next-pay[.]site (redirector)

singpost-sg[.]site (redirector)

postbank.de.ihre-de[.]com (redirector)

sxb1plvwcpnl497368.prod.sxb1.secureserver[.]net (phishing site)

‍

Singtel phishing campaigns: takeover of compromised WordPress domains

Unlike the Singapore Post phishing sites that use newly registered domains, currently active Singtel phishing campaigns use compromised WordPress domains. Similar to the real Singtel websites, the fake login page has tabs for OnePass, the company’s login system for customers, and Singpass, its mobile app. However, the fake site pretends that it can’t generate a proper QR code, the quickest method by which customers can login. Instead, an error message is displayed, prompting the user to use “other methods” to log in, specifically a login page is displayed. When users enter their login credentials, they are presented with a second page asking for their credit or debit card info. Once card info has been submitted, a non-working dialog box for SMS verification appears, even in the case of login with an email address.

‍

Stay vigilant against phishing threats

Phishing is one of the most common and effective cyber attacks scammers deploy. Mainly because it’s cheap to create. Any attacker can buy off-the-shelf kits off the Dark Web. Even if only a small percentage of users fall for the scam, a campaign can create significant profit for the attacker.

Phishing sites may look legitimate, but users should be vigilant to avoid having their credentials stolen. Neither Singapore Post nor Singtel will ever ask you for credit card or banking information through an email. You should always visit a provider’s official site before logging in rather than clicking on links from less trustworthy sources such as email and SMS.