Threat Research

Xneelo Users Targeted in a Multi-stage Phishing Attack | Cofense

Securonix

A four-stage phishing campaign targeted Xneelo customers in South Africa, aiming to harvest Xneelo and Webmail credentials, credit card data, and SMS-based 2FA codes via a fake KonsoleH login flow and a hosted phishing page. The attackers relied on spoofed emails, deceptive pages, and a hosted login process to collect multiple data types and access users’ Webmail accounts. #Xneelo #KonsoleH #Webmail #Phishing #CofensePhishingDefenseCenter #Mimecast

Keypoints

  • Target: Xneelo customers in South Africa, a hosting provider serving over 500,000 users.
  • Stage 1: A spoofed email with Xneelo branding urges urgent action and directs users to a fake login page via a Pay Now link.
  • Red flags in Stage 1 include generic greeting, urgency, and odd payment details (e.g., due date before issue date and amount due being R0.00).
  • Stage 2: After entering credentials, users are prompted for credit card information on a subsequent page with seemingly legitimate debit/order details.
  • Stage 3: Attackers solicit an SMS 2FA code to verify identity, enabling further account access.
  • Stage 4: Users are directed to a spoofed KonsoleH Webmail login page; successful entry yields access to Webmail data and controls.
  • The campaign demonstrates a multi-stage approach to steal credentials, payment data, and 2FA codes, culminating in Webmail access and broader account compromise.

MITRE Techniques

  • [T1566] Phishing – Stage 1: The attacker sends a convincing email with a Pay Now button that redirects to a fake login page. Quote: “the ‘Pay Now’ button redirects the user to hXXps://postingbank[.]wpengine[.]com/sudd/ where the fake Xneelo login page is located (Figure 2).”
  • [T1566] Phishing – Stage 2: The fake login page prompts for credit card information after credentials are entered. Quote: “Once the user enters their Xneelo login credentials, a page requesting credit card information is presented (Figures 3 and 4).”
  • [T1078] Valid Accounts – Stage 3: The phishing flow enables use of stolen credentials and SMS codes to log in. Quote: “Once users input the code into to the phishing website, threat actors can use it to successfully log in as the users.”
  • [T1566] Phishing – Stage 4: The fourth stage routes users to a KonsoleH Webmail login page to harvest Webmail credentials. Quote: “The fourth and final stage of this phishing campaign occurs when the user is directed to a webpage which spoofs the real KonsoleH webmail page (Figure 6).”

Indicators of Compromise

  • [Domain] context – postingbank.wpengine.com (phishing host for the fake login page) and xneelo.co.za (legitimate site referenced for comparison)

Read more: https://cofense.com/blog/xneelo-users-targeted-in-a-multi-stage-phishing-attack/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint