A phishing campaign has been troubling the government of Saudi Arabia from the past two years. Nicknamed as ‘Bad Tidings’, false websites were created in the campaign to imitate government web portals as well as that of a financial institution.
The campaign is still reportedly active. According to security firm Anomali, around 95 unique phishing hostnames were identified in the campaign till date.
The big picture
About the threat actors
Anomali conducted a detailed analysis of Bad Tidings and found that very little information could be found about the threat actors. “Upon initial review of Whois record information for the 46 unique domains used in the Bad Tidings Campaign, the threat actor or group provided minimal registrant information. Nonetheless, there were multiple references to Yemen, two Yemeni districts: Al Hada and Sanaa, and two distinct registrant organizations, mdr and WVW,” researchers stated in the blog.
The firm’s investigation also revealed three IP addresses used by the campaign, as well as unique SSL/TLS certificates purchased from Comodo.