Phishing
Phishing Offering Olympics Tickets Targets French Law Enforcement
A phishing scam is targeting French police force through a fake webpage that mimics the official 2024 Olympics page and offers tickets catered to law enforcement officers.
Save to Folio
Key points:
- A phishing scam is targeting French police force through a fake webpage that mimics the official 2024 Olympics page and offers tickets catered to law enforcement officers.
- The phishing site does not immediately seek credential information but gathers personal information from victims.
- Our investigations found that the phishing site is hosted on compromised IP addresses that belong to a French local government office and a French private company related to state security.
Cybercriminals are using the buzz around the upcoming 2024 Olympics to target victims in a recent series of scams exploiting major events to grab the public’s interest and attention. In this blog, we discuss our initial investigation of a phishing scam offering tickets to the games scheduled in France from July 26 to August 11.
Tickets offered to French law enforcement
The phishing webpage is notably very similar to the official Olympics website that sells tickets to the event. In French, the fake page reads, “Individual tickers are offered to law enforcement. Our Olympic athletes are ready to thrill you and make you proud. Fill the form below to get your tickets.”
Once the victim fills out the form, the following message will then appear: “Session is invalid, or you are not eligible for the offered tickets. Please access the website from your email to claim your tickets.”
In our initial investigation, we could not find any emails related to the phishing page; it is possible that the campaign was sent in very low volumes via email, or possibly via other channels such as private messages on instant messaging platforms. This assumption makes sense in the context of the campaign targeting a narrow profile of victims — in this case, French police officers. We cannot yet conclude that the attack was exclusively sent to law enforcement or if the cybercriminals spread their lure to untargeted destinations in the hopes that it finds its way to law enforcers who will fall for the scam.
It is also worth noting that the threat actors behind the campaign did not immediately seek credit card information, unlike more common phishing tactics that request a small fee right off the bat in exchange for their offered goods. We suspect that the fraudsters might be attempting to get information they can use to later reach out to the people who filled out the form for a different purpose. We believe, however, that the campaign might still be financially motivated and that the cybercriminals will later ask for credit card information. It’s also possible that the threat actors plan to use the personal information to gather the email addresses of police officers for cyberespionage or other related purposes.
Hosted on compromised infrastructure
The fake webpage used for this phishing campaign was hosted on an IP address that belongs to a city hall in France via a third-party hosting provider. It is very common for cybercriminals to host phishing pages on compromised websites or infrastructure: Legitimate IP ranges are less prone to being detected and blocked for hosting fraudulent content. Hosting on compromised infrastructure is also cost-effective, as doing so would not require cybercriminals to rent any host, thereby also making it harder to trace them.
Further into our investigation, we found another compromised IP address used by the cybercriminals, this time belonging to a private French company related to the French state security.
We also found that a domain and subdomain that lead to this compromised IP address contain the “xn-” string, a Punycode encoding often used in domain names to map Unicode characters to internationalized domain names (IDN).
When the Unicode is applied, the phishing webpage domain reads, “partenaỉres.com”, with “partenaires” being a French word that means “partners.” However, the “i” is not in the American Standard Code for Information Exchange (ASCII); instead, it could be the Vietnamese letter “i” in hỏi tone. This technique is often used by cybercriminals to socially engineer their phishing scams and other online fraud schemes. The goal is to create visually deceptive URLs closely resembling legitimate domain names.
Interestingly, both compromised IP addresses are hosted by the same French internet service provider. We suspect that the company might be prone to one or several vulnerabilities, which allowed the attackers to add their content to web servers hosted on their infrastructure.
We have reported this to the French Cybersecurity Agency (ANSSI) so that all involved organizations are notified to mitigate the threat and detect potential compromises. We would also like to thank StalkPhish for the initial discovery of the case.
Recommendations
We recommend organizations to regularly conduct security awareness training programs to educate employees about the common tactics used by attackers. Through these, employees can recognize and avoid falling victim to social engineering attacks that might precede vulnerability exploitation. The following are a few things employees should watch out for:
- Be cautious of unsolicited messages asking for personal information or urging you to select links or attachments.
- Stay alert when you encounter messages creating a sense of urgency: Either they are trying to instill fear — such as threats of account suspension or legal action— or they are offering something that is usually too good to be true.
- Pay attention to messages with spelling or grammatical errors or those that use generic greetings.
- Always check the sender's email address, contact number, or social media profile to ensure it matches the claimed organization or individual.
- Before selecting any links, hover over them to see where they lead. If a link seems suspicious or unfamiliar, refrain from accessing it. Look closely at the characters used; some letters might not be what they appear.
- Refrain from sharing sensitive information unless you're certain of the recipient's identity and the reason they need it.
- If you think you have engaged with a phishing scam, report the incident to the organization or the individual the attacker impersonated.
To effectively protect systems and networks against vulnerability exploitation, organizations can implement a variety of cybersecurity best practices and proactive defense measures. Here are some recommendations:
- Patch management. Prioritize regular updates and patch management processes to ensure that all systems are running the latest software versions. Quickly apply security patches for known vulnerabilities, especially those with publicly available exploits.
- Network segmentation. Use network segmentation to reduce the attack surface. By separating critical network segments from the larger network, the impact of a potential vulnerability exploitation can be minimized.
- Regular security audits. Conduct security audits and vulnerability assessments regularly to identify and remediate potential weaknesses within the infrastructure before they can be exploited.
- Incident response plan. Develop, test, and maintain an incident response plan so your organization can respond quickly and effectively to any security breaches or vulnerability exploitations.
- Threat intelligence. Subscribe to threat intelligence feeds to stay informed about the latest threats and tactics used by threat actors and advanced persistent threat (APT) groups.
Indicators of compromise (IOCs)
- jop-2024.paris.partenairs.com
- Paris2024.partenairs.com
- xn--partenares-4v3e.com
- paris2024.xn--partenares-4v3e.com
- 95.140.13.124 (compromised)