.NExT Web Security - Fighting 419 (Nigerian Advanced Fee Fraud) and other internet scams. Providing International Law Enforcement, investigators and anti-scam specialists with effective tools to combat internet crime.
Serving International Law Enforcement, Investigators and Anti-scam Specialists
Countries visiting Next Web Security - 419 Nigerian Advanced Fee Fraud

Scam & Fraud News

Ironically, Phishing Kit Hosted on Nigerian Government Site

Ionut Ilascu - Bleeping Computer - 19-03-30
Click here for original article       Back to Articles

DHL phishing page on the Nigerian National Assembly's server
DHL phishing page on the Nigerian National Assembly's server

Those who remember earlier days of the internet are familiar with the “Nigerian Prince letter,” also known as the 419 scam. While that fraud typically runs from personal email accounts, another one uses an official Nigerian government website to host a phishing page for the DHL international courier service.

Nigeria has a large culture of fraud, which is defined in the country's criminal code at number '419,' under Chapter 38: Obtaining Property by false pretenses; Cheating," but this is ridiculous.

For over two weeks, the Nigerian National Assembly (NASS) site has been serving a fraudulent page that asks for DHL account credentials. This is just a landing location, most likely pushed through spam.

The phishing resource is "u.php" and it is present on multiple legitimate websites that have been hacked to host it as well as on domains that look like they've been registered specifically for DHL phishing purposes.

Below is a short list of the websites we found hosting the same DHL phishing page present on the Nigerian official website. The last two look like legitimate websites that have been compromised to include the malicious kit.


At the moment of writing, loading most of them triggered the "Deceptive site" warning in Chrome and Firefox, but not all of them have been indexed as unsafe, yet.

Security researcher MalwareHunterTeam found the phishing page on the NASS website and noticed a history of malicious URLs available on the official domain.

Other phishing pages on Nigerian National Assembly server
Other phishing pages on Nigerian National Assembly server

MalwareHunterTeam says that the kit is an old one that dates since at least June 2017 and it is present on hundreds of websites. Some of the URLs no longer resolve, while others managed to escape detection of the anti-phishing protection in web browsers.

Although the scammers did a poor job impersonating the original DHL website, plenty of victims are likely to fall for the trick. A "Norton Secured" stamp is visible next to the DHL logo, there is a world clock showing the local time, an IP checker, and official imagery to inspire trust.

However, the web address, the absence of any links on the page, and the outdated footer copyright text should be clear signs of a scam.

The only fields present on the page are for entering the login data for the DHL account, which are sent to the fraudster while an error message pops up informing that the password may be incorrect.

No matter how many times credentials are submitted, there's the same outcome. Once they get them, cybercriminals can sell them on underground forums for as little as $10 apiece.

UPDATE: The article has been updated to include new information from MalwareHunterTeam and clarify that not all the websites on the short list we provided were registered specifically for phishing purposes.


Tags: Nigerian, phishing, Nigerian Government website


Please visit our sponsors

Wounded Warrior Project