Sri Lanka and Bangladesh have a successful history of co-hosting the Cricket World Cup, but today the two countries’ governments have found themselves on a sticky wicket by co-hosting a phishing attack that targets UK banking customers.
Victims lured to a certain page on the Lanka Government Network website at lgn2.gov.lk will be swiftly redirected to a phishing site hosted by the Rajshahi Metropolitan Police in Bangladesh (rmp.gov.bd).
The phishing site hosted on a Bangladesh Police website.
It is unlikely that either government is consciously hosting a phishing attack in unison like this, especially on a website belonging to a police force – although this should certainly make the crime easier to investigate.
Many phishing sites and other web-based types of cybercrime are hosted on compromised servers, and that looks likely to be the case in this instance. Last month, the homepage of lgn2.gov.lk was defaced by a group identifying itself as Cyb3r Drag0nz, indicating that they had gained unauthorised access to the web server.
Things seem to have spiralled out of control ever since. The Lanka Government Network website is now heavily compromised and currently hosts multiple web shells in addition to being involved in this phishing attack.
The PHP web shells hosted on lgn2.gov.lk include variants of the mini shell, including 1337 3YP455 and CasperSecurity. These allow files to be uploaded to the web server, which may have been how the phishing content – and other web shells – have been placed on the site.
Other web shells found on the Lanka Government Network site include variants of the WSO web shell (such as YANZ bypass and V3n0m), which let attackers run arbitrary commands on the web server, manage files, and carry out attacks against other servers.
The LGN website promotes a secure government network for Sri Lanka… while hosting several web shells and directing victims to a phishing site.
Some of the WSO web shells found on the LGN website are password-protected to ensure that they can only be used by the original uploader – or by anyone they have sold access to. Indeed, one of the web shells is associated with a known initial access broker, who uses online marketplaces to sell remote access to compromised servers.
One of the web shells hosted on the Lanka Government Network website.
Netcraft has already blocked access to all URLs involved in the phishing attack. Similar attacks can be reported to Netcraft by forwarding email to email@example.com or by submitting the form at report.netcraft.com.