Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

United Nations Organizations Targeted in Ongoing Phishing Campaign

A currently ongoing mobile-aware phishing campaign is targeting various non-governmental entities worldwide, including United Nations humanitarian organizations such as UNICEF, Lookout reports.

A currently ongoing mobile-aware phishing campaign is targeting various non-governmental entities worldwide, including United Nations humanitarian organizations such as UNICEF, Lookout reports.

The attacks rely on infrastructure that has been live since March 2019 and which includes two domains hosting phishing content, namely session-services[.]com and service-ssl-check[.]com.

The domains resolve to IP addresses 111.90.142.105 and 111.90.142.91 and Lookout has discovered that the associated IP network block and ASN (Autonomous System Number) has a low reputation and was previously observed hosting malware.

What makes the campaign stand out, however, is its ability to detect mobile devices and to log keystrokes as soon as they are entered on the phishing page.

JavaScript code on the fraudulent pages can determine if a mobile device is being used and then delivers mobile-specific content to the user. The attack also relies on the fact that mobile web browsers truncate the URL, which makes it more difficult for the victims to discover the deception.

The password field on the phishing login pages contains key-logging functionality, meaning that the entered characters are still sent to the attackers even if the target doesn’t complete the login operation (by pressing the login button).

Lookout’s security researchers also discovered that some of the SSL certificates used in the campaign are expired, as they had two main ranges of validity: May 5, 2019 to August 3, 2019, and June 5, 2019 to September 3, 2019.

Such certificates are immediately detected by browsers, which alert users on the matter using very clear warnings that should make it “near impossible to entice a user to enter their login credentials,” Lookout says.

However, given that six certificates used in the campaign continue to be valid, Lookout believes the attacks may be ongoing.

The still-valid certificates should expire between November 15 and November 23. The websites they are used on target the United Nations, the UN Development Programme, the UN World Food Programme, UNICEF, the Heritage Foundation, and the International Federation of the Red Cross and Red Crescent Societies.

“[Security teams] need to identify fraudulent certificates issued by attackers that are being used to impersonate their organization,” Kevin Bocek, VP of security strategy and threat intelligence at Venafi, told SecurityWeek in an emailed comment.

“These latest attacks targeting United Nations and global charity websites use TLS certificates to make malicious domains appear legitimate, they take advantage of the implicit trust users have in the green padlock created by TLS certificates,” Bocek says. “This may appear sophisticated, but these kinds of phishing attacks are very common.”

Related: ‘Heatstroke’ Phishing Campaign Takes Multi-Stage Approach

Related: Mobile Phishing Attacks Up 85 Percent Annually

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.