A sophisticated spear phishing campaign has been identified by security researchers at Lookout Inc. that is targeting the United Nations and nongovernment organizations (NGOs).
The spear phishing campaign has targeted United Nations officials, the Red Cross, Red Crescent societies the Heritage Foundation and other NGOs. It is not known who is behind the campaign, but the malicious sites are hosted in Malaysia on IPs that have previously been used to host malware, although that does not mean the attackers are based in or have ties to Malaysia.
The campaign has been active since March 2019 and attempts to obtain credentials to Office 365, Outlook, and Okta. As with other phishing campaigns, credentials are harvested on fake websites that contain code that captures login credentials from forms when the information is entered by users. Individuals are directed to those websites via hyperlinks in phishing emails.
The campaign is highly targeted and uses a variety of lures to direct users to the phishing forms. The emails are well written, provide a plausible reason for clicking on the link, and the websites to which users are directed are well crafted and include appropriate logos, color schemes, and images to make them appear genuine.
When the link is clicked, JavaScript code detects whether the user is on a mobile device and will serve the mobile version of the phishing page. Since the URL of the website is truncated when accessing the site on a smartphone, it is harder for users to tell whether they are on a phishing website.
Many phishing schemes require the user to complete the login process for their login credentials to be captured, but in this case the website includes a keylogger. That means that even if credentials are entered but the login process is not completed, the attacker will still be able to capture credentials. The phishing websites also have bulletproof hosting to ensure they remain active.
Employees are often warned never to enter sensitive information on websites that lack the green padlock and start with HTTP. These phishing pages have valid SSL certificates and start with HTTPS, as is now the norm for phishing sites.
If a website starts with HTTPS it means the connection between the browser and the site is secured and the connection encrypted, but it does not mean that the site itself is genuine, as is the case here.