The attachment is a fully functional HTML clone of the NFCU homepage. The HTML clone is complete with SEO modifications, embedded fonts, cascading style sheets and links to PDF’s to the real NFCU website. It looks realistic with the only exception is that there is some encoding on the footer that is messed up full of Unicode block specials (�) and the logo does not include the Space Force.

Everything is an exact clone, except the clone sends the input (username and password) via telegram (Telegram is a freeware, cross-platform, cloud-based instant messaging service. The service also provides end-to-end encrypted video calling, VoIP, file sharing and several other features. Telegram can be setup to be anonymous).

Looking at the code added to the cloned NFCU page, it was cloned on March 25th, 2021 at 16:38:13 East Africa Time. The telegram chat_id is ‘954215962’. It looks like it not only sends the username and password, but the email address the phishing email was sent to and the IP address of the computer that accessed the clone NFCU homepage from the email.

The sending IP is from Amsterdam, Netherlands (but it is an AWCloud server IP address. AWCloud is based in China).