Security researchers have discovered a new phishing campaign that targets the United Nations staff. Through the campaign, the hackers are stealing employee credentials for reselling on criminal forums and marketplaces.
How does it work?
Researchers at Anomali Labs found that a phishing site masquerading as a login page for the United Nations Unite Identity was used to trick the victims. The UN Unite Identity is a single sign-on (SSO) application used by UN staff.
When visitors attempt to login into the fraudulent page, their browser is redirected to a bogus invitation for a film viewing at the Poland Embassy in Pyongyang.
The fake login page that bears a resemblance to the legitimate one has been found to be 'cloud[.]unite[.]un[.]org[.]docs-verify[.]com'.
“When navigating to the suspicious subdomain, users are displayed with a phishing site mimicking a United Nations’ Unite Identity login page. The phishing site requests users enter their email address ending in @un[.]org and Unite Identity password. The phishing page, a cloned version of the legitimate site, warns users of fake UN websites designed to steal usernames and passwords as well as provides a copy of the website address for the legitimate Unite Identity login page,” the researchers explained.
Domain and IP Address analysis
‘Whois’, a domain that lookups for domain registrant information, found that the ‘verify[.]com was registered with Malaysian Registrar and Hosting provider Shinjiru Technology Sdn Bhd on August 1, 2018. The parent domain and the associated IP addresses that are a part of the campaign resolved to the Malaysia-based IP address 111.90.142[.]52 belonging to Shinjiru Technology Sdn Bhd - which is the host for 33 total domains.
The researchers noted that, “A review of these 32 additional domains uncovered multiple suspect sites which include phishing sites targeting Visa Vanilla Gift Cards, Caixa Bank of London, and First Texas Bank.”