Cyber Incident Victim: Nigerian National Assembly
Date:
Mar 2019
Location:
Nigeria
Summary
A phishing kit impersonating DHL was discovered hosted on the Nigerian National Assembly's official website, leveraging the government domain's legitimacy to steal user credentials. The fraudulent page, active for over two weeks, formed part of a broader campaign involving both compromised legitimate sites and purpose-registered domains. The kit employed deceptive elements like fake security seals and official imagery to trick victims into submitting login details, which were then captured and sold for financial gain. Multiple iterations of similar phishing pages had previously appeared on the same government domain, indicating recurring abuse of the platform for credential harvesting operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around March 15, 2019, a phishing kit impersonating the DHL courier service was discovered operating on the official website of the Nigerian National Assembly (NASS) at nass.gov.ng. Security researcher MalwareHunterTeam identified the malicious resource "u.php" hosted within the "/fonts/wp/D2017HL/" directory of the government site, noting it had been active for at least two weeks prior to public reporting. The phishing page was part of a broader campaign involving multiple domains, including both compromised legitimate websites like onlinequranglobal.com and pioneer-sys.net and purpose-registered phishing domains. Historical VirusTotal scans indicated prior phishing pages had been hosted on the NASS domain before this incident. The kit itself was a recycled tool dating back to at least June 2017, commonly used by multiple threat actors. Visitors to the fraudulent page encountered a credential harvesting form disguised as a DHL login portal, complete with stolen branding elements like the Norton Secured seal, a world clock display, and an IP checker to enhance perceived legitimacy.
The attackers collected DHL account credentials through the fraudulent form, which automatically forwarded submissions to cybercriminals while displaying a persistent password error message to victims. Harvested credentials were commoditized on underground forums, with accounts selling for approximately $10 each. Despite clear indicators of fraud—such as the mismatched Nigerian government domain, non-functional page links, and an outdated copyright footer in the phishing template—the operation posed significant risk due to the official hosting domain’s implied trustworthiness. Major browsers including Chrome and Firefox flagged most associated domains as deceptive sites, though not all were universally blocked at the time of discovery. The incident highlighted systemic vulnerabilities in the NASS web infrastructure, which had a documented history of hosting malicious content. An article update clarified that while some domains in the campaign were explicitly registered for phishing, others like beesnaturals.com were legitimate sites compromised to host the attacker’s toolkit.