A lot of Zimbabweans are naive and trusting when it comes to sharing their personal information online. A lot of them use the same password for multiple services for example and more often than not people don’t use two-factor authentication. That’s not usually an issue because most hackers in Zimbabweans tend to restrict themselves to card cloning and foreign hackers tend to sneer at Zimbabwean dollars so don’t bother to attack Zimbabwean targets. Recently though, an unknown hacker/group of hackers went to great lengths and attempted to steal people’s Steward Bank online credentials. It’s not clear whether they were successful in their attacks. We have only become aware of this campaign and have reached out to Steward Bank to comment on the issue.

A determined hacker spent some resources

As I have said most tech-related theft in Zimbabwe involves crude card cloning techniques and the thieves put little effort into the exercise besides maybe investing in a card cloning machine. These days banks like Steward and FBC have been issuing chipped cards to replace Magistripe cards and that has effectively reduced issues of card cloning. This unknown party however was more determined. They invested in two things:

  • First, they acquired a list of a lot of Zimbabwean email addresses and seemed to have focused on email accounts that appeared corporate. Most businesses in Zimbabwe tend to accrue large ZWL balances unlike individuals who often live hand to mouth and spend most of what they earn each month-end either towards basic expenses or converting it to foreign currency
  • The unknown hacker actually spend some money to buy a domain name: stewardonlinecozw.com .This domain name was meant to fool unsuspecting members of the public into believing the hacker’s fake site was the real Steward Bank website. For the record the real domain used by Steward Bank is stewardbank.co.zw and not the fake domain. This domain was registered by the said individual on 12 March this year. Unfortunately, they used Namecheap which automatically hides the personal information of the person who created this.

Armed with these two resources the individual then crafted a site that looked exactly like the Steward Bank online portal. Like most portals the Steward Bank’s portal is pretty simple and easy to replicate. In fact, anyone with basic knowledge of web development should be able to create something similar in under 2 hours. It’s often part of job interviews in the tech field to be asked to create a “pixel-perfect” replica of popular sites and this would have been routine to someone with the skills. The person then went on and added an https certificate. All these things would have made it hard for those not paying attention to see that they had landed on the wrong page.

Buy USD Airtime

The next part of their plan was to generate a plausible looking email. Which they did. See the email below:

The email to bait unsuspecting victims

Like most modern organisations Steward Bank uses encryption when sending their emails and has set up tools that should make it easier for a receiving email service to see this email as a fraud and flag it as spam. Unfortunately, to prevent false positives from causing their emails to fail, Steward Bank like a lot of other organisations also uses what we call a soft fail system. This means that fraudulent emails tend to be flagged as likely to be spam instead of being rejected by email organisations like Gmail.com Thankfully the person also made a mistake here too. They had two choices:

  • Send their email using the domain they owned i.e. Stewardonlinecozw.com. This would have allowed the sender’s email to land in most people’s inboxes as they would have full control of tools such as DKIM, SPF and DMARC (this mumbo jumbo simply means they could have probably fooled more victims). The downside however would have been that a lot of people would be able to spot that the email was not from the usual Steward Bank address.
  • Send the email using the email address that Steward uses. They ultimately settled for this option. [email protected] but as we have said this is a Steward Bank domain over which Steward Bank has control so they could not encrypt their email or prove they were the rightful owners of the domain. The result is that their email landed in Spam boxes probably limiting the damage the person can do.

However, it is important to note that most scammers are aware of this fact. They play a game of numbers. They send out thousands and even millions of emails in the hope that a tiny fraction of those recipients would fall for the trap. They also employ techniques that are meant to induce a sense of panic and urgency in recipients. All this will result in the victim failing to notice that they are not on the actual Steward Bank website.

The scheme has taken down

The scheme’s life-cycle

The domain was bought on 12 March and eventually deleted by Namecheap, presumably at the behest of Namecheap on 2 April 2022. It’s not clear when exactly the fake portal was established but from the timeline, the hacker had at least two weeks to fool his/her victims. The idea was simple, once the victim received the fake Steward Bank email they would click the bait button in a haze and attempt to login into “their account to rectify the issue.” The hacker would then log the credentials and redirect the victim to the actual Steward Bank website. It would then appear as if the person had made a password error and if they logged in again they would be granted access as they were now on the right website. Meanwhile, the attacker now had the person’s username and password. Remember we already said that most people reuse and rarely change their passwords.

How successful would such a campaign be? How much damage would it do? Well, it depends on the bank and the victim. Given how Steward Bank is set up it would have required more effort to actually gain access to clients’ accounts. Using the credentials on say, Steward’s Banking app would have required confirmation from an OTP message so more effort would have been required rather than just having the password. I have to confess though that I am not sure whether such confirmation is necessary when one is login via a browser. But that doesn’t matter because an OTP would still have been required to send money from the account. It is therefore very hard to see such a campaign, fairly sophisticated as it was succeeding in doing much damage if any damage was done at all.

Aided with other techniques such as getting the OTP this could have seen some people losing their money. Such acts would have required much more effort than this and there is no evidence that this happened. But the fact that we are seeing such dedication and skill coming to bear it’s only a matter of time before we start seeing such sophisticated and perhaps successful campaigns. Here the hacker was easy to thwart thanks to their scattergun approach. Had they chosen their victims more carefully they could have been more successful. The attack should jolt everyone to be careful when dealing with online banking credentials.