A currently ongoing mobile-aware phishing campaign is targeting various non-governmental entities worldwide, including United Nations humanitarian organizations such as UNICEF, Lookout reports.
The attacks rely on infrastructure that has been live since March 2019 and which includes two domains hosting phishing content, namely session-services[.]com and service-ssl-check[.]com.
The domains resolve to IP addresses 111.90.142.105 and 111.90.142.91 and Lookout has discovered that the associated IP network block and ASN (Autonomous System Number) has a low reputation and was previously observed hosting malware.
What makes the campaign stand out, however, is its ability to detect mobile devices and to log keystrokes as soon as they are entered on the phishing page.
JavaScript code on the fraudulent pages can determine if a mobile device is being used and then delivers mobile-specific content to the user. The attack also relies on the fact that mobile web browsers truncate the URL, which makes it more difficult for the victims to discover the deception.
The password field on the phishing login pages contains key-logging functionality, meaning that the entered characters are still sent to the attackers even if the target doesn’t complete the login operation (by pressing the login button).
Lookout’s security researchers also discovered that some of the SSL certificates used in the campaign are expired, as they had two main ranges of validity: May 5, 2019 to August 3, 2019, and June 5, 2019 to September 3, 2019.
Such certificates are immediately detected by browsers, which alert users on the matter using very clear warnings that should make it “near impossible to entice a user to enter their login credentials,” Lookout says.
However, given that six certificates used in the campaign continue to be valid, Lookout believes the attacks may be ongoing.
The still-valid certificates should expire between November 15 and November 23. The websites they are used on target the United Nations, the UN Development Programme, the UN World Food Programme, UNICEF, the Heritage Foundation, and the International Federation of the Red Cross and Red Crescent Societies.
“[Security teams] need to identify fraudulent certificates issued by attackers that are being used to impersonate their organization,” Kevin Bocek, VP of security strategy and threat intelligence at Venafi, told SecurityWeek in an emailed comment.
“These latest attacks targeting United Nations and global charity websites use TLS certificates to make malicious domains appear legitimate, they take advantage of the implicit trust users have in the green padlock created by TLS certificates,” Bocek says. “This may appear sophisticated, but these kinds of phishing attacks are very common.”
Related: ‘Heatstroke’ Phishing Campaign Takes Multi-Stage Approach