Security researchers have come across a waterholing campaign that have compromised four South Korean websites by injecting fake login forms to steal user credentials.

Trend Micro described the campaign, which it named Soula, as a significant threat to enterprises and users and possibly the first step being taken by a cybercriminal group to launch a bigger, worldwide campaign. What the research firm found was four websites that were injected with JavaScript, exactly how was not mentioned but possibly through unpatched vulnerabilities, which then would overlay a login form over the legitimate site.

Making matters worse is one of the spoofed sites is one of South Korea’s most popular search engines.

The information collected from the fraudulent login screen is then sent to a collection server, even though it lacks accurate data information which leads Trend Micro to believe this is simply a research and development situation creating the environment for a larger scam.

The first compromised site was seen on March 14. The malware creates a profile of the visitor, loads the fake login screen then scans the HTTP referrer header string and checks if it contains keywords related to popular search engines and social media sites to authenticate that the visitor is real. It then identifies the device and operating system. The malware remains in the background and does not load the spoofed login form until the user has visited the compromised site six times, which it measures through a previously set cookie. It also used used Cloudflare to protect their domains and hide their real IP addresses.

Trend Micro believes the attackers are Chinese based on the language used in the code.

The attackers are also actively improving the malware having added obfuscation to the JavaScript and moved the scripts to a new server after Trend Micro notified Cloudflare of the situation. However, the attack can still be defeated by having companies maintain their patch schedule and add features like 2FA whenever possible.