The United Nations and other non-government organizations have been undergoing spear phishing attacks since at least March of this year with the goal of obtaining staffers’ login credentials.
The attackers are using compromised Office 365 credentials garnered through phishing attacks to enter the NGOs’ systems, enabling them to install phishing websites that mimic each organization’s sign-on page. The campaign was uncovered by the security firm Lookout, which noted that the as-yet-unknown attackers were utilizing a couple of unusual techniques.
First, the sites have a unique keylogging capability that directly takes the login information directly from the input field as it is being typed and sends it to a command and control server. This means even if the person does not complete the login process the username and password is stolen, Lookout said.
Next, the malware used can also detect if a mobile device is accessing the phishing site, and then deliver mobile-centric content. An additional benefit of using a mobile URL is they are normally shortened, which helps hide the fact that they are not genuine, Lookout said.
step taken to make the sites appear legitimate is the use of SSL certificates with
the phishing websites.
vice president of security strategy and threat intelligence at Venafi, said
companies need to check for fake certificates.
“In order to
protect businesses and users, security teams must identify all the legitimate
TLS certificates on their own networks. They also need to identify fraudulent
certificates issued by attackers that are being used to impersonate their
organization,” he said.
Lookout does not know who is responsible for the campaign, it has pinned down
where the malware is hosted.
have been hosting phishing content, session-services[.]com and service-ssl-check[.]com,
which resolved to two IPs over the course of this campaign: 126.96.36.199 and
188.8.131.52. The associated IP network block and ASN (Autonomous System
Number) is understood by Lookout to be of low reputation and is known to have
hosted malware in the past,” Lookout wrote.
that have been targeted include the UN, the UN World Food Programme, UN
Development Programme, Heritage Foundation and the International Federation of
the Red Cross and Red Crescent Societies.