The United Nations and other non-government organizations have been undergoing spear phishing attacks since at least March of this year with the goal of obtaining staffers’ login credentials.
The attackers are using compromised Office 365 credentials garnered through phishing attacks to enter the NGOs’ systems, enabling them to install phishing websites that mimic each organization’s sign-on page. The campaign was uncovered by the security firm Lookout, which noted that the as-yet-unknown attackers were utilizing a couple of unusual techniques.
First, the sites have a unique keylogging capability that directly takes the login information directly from the input field as it is being typed and sends it to a command and control server. This means even if the person does not complete the login process the username and password is stolen, Lookout said.
Next, the malware used can also detect if a mobile device is accessing the phishing site, and then deliver mobile-centric content. An additional benefit of using a mobile URL is they are normally shortened, which helps hide the fact that they are not genuine, Lookout said.
A further step taken to make the sites appear legitimate is the use of SSL certificates with the phishing websites.
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said companies need to check for fake certificates.
“In order to protect businesses and users, security teams must identify all the legitimate TLS certificates on their own networks. They also need to identify fraudulent certificates issued by attackers that are being used to impersonate their organization,” he said.
Although Lookout does not know who is responsible for the campaign, it has pinned down where the malware is hosted.
“Two domains have been hosting phishing content, session-services[.]com and service-ssl-check[.]com, which resolved to two IPs over the course of this campaign: 220.127.116.11 and 18.104.22.168. The associated IP network block and ASN (Autonomous System Number) is understood by Lookout to be of low reputation and is known to have hosted malware in the past,” Lookout wrote.
The organizations that have been targeted include the UN, the UN World Food Programme, UN Development Programme, Heritage Foundation and the International Federation of the Red Cross and Red Crescent Societies.