In the current landscape of digital banking, a concerning trend has emerged that puts account holders at risk of falling victim to sophisticated cyber scams. Banks are now urging their customers to update their account information by submitting their National Identification Number (NIN), a move aimed at enhancing security measures. However, this well-intentioned process has inadvertently opened the door for threat actors specializing in Business Email Compromise (BEC) and phishing scams to exploit unsuspecting users.

Phsihing Meets Timing

These malicious actors have been quick to capitalize on the situation by setting up fake or replica versions of corporate banking websites to deceive individuals into divulging their personally identifiable information. By mimicking the legitimate interfaces of banks, these fraudulent websites trick users into entering sensitive data, such as login credentials, token codes, and NINs, under the guise of security compliance.

As responsible digital citizens, it is crucial for all bank customers to remain vigilant and cautious when navigating online banking platforms. To safeguard against falling prey to these nefarious schemes, users should exercise due diligence by verifying the authenticity of banking websites, scrutinizing email communications for signs of phishing attempts, and refraining from sharing sensitive information unless absolutely certain of the legitimacy of the request.

By staying informed and proactive in our cybersecurity practices, we can collectively combat the insidious efforts of threat actors seeking to exploit unsuspecting individuals. Remember, when it comes to safeguarding your personal information in the digital realm, vigilance is key.

Technical Analysis of the Phishing Page

The phishing page seems to be an exact copy of the original login page, down to the customer support widget at the bottom.

But they only seem like an exact copy at first glance, the difference between the phishing page and the actual login page, purely by a matter of the goal the attackers are trying to achieve, will always be the form

Indicator of Compromise

https[:]//zenith[.]tf/?rid=dbh7Zip

188.114.96[.]2

info@zenith[.]tf

https[:]//zenithbankplc[.]zom.ng

188.114.97[.]0, 188.114.96[.]0, 2a06:98c1[:]3120::c

https[:]//zenith[.]com.pt/?keyname=ewCgchx

https[:]//secure[.]zenith.it[.]com/coporate-internetbanking/RVFFA5W

secure[.]zenith

it[.]com

104.21.43[.]207

zenith-support@server7-nigeria[.]xyz

server7-nigeria[.]xyz

https[:]//zenith[.]com[.]pt/?keyname=9JCqtKX

https[:]//z[.]plc[.]pm/?keyname=NzYuQkM

https[:]//zenith[.]tf/?keyname=bqRqrIw

https[:]//icorporate[.]zenithb[.]ankplc[.]com/NSZ1equ