Phishing Site Targeting Domestic E-mail Service Users (Part 2)
The ASEC analysis team has been sharing information about various phishing e-mails in the ASEC blog. This time, the team aims to inform users about another discovered phishing site that targets domestic e-mail service users to distribute malware.
The recently confirmed phishing site targets Naver Mail (mail.naver), Daum Mail (mail2.daum), and hiworks users to collect their information such as IDs, passwords, and user IPs. It then sends the information to the attacker’s e-mail.
Figure 1. Previous blog site (Left) and recent blog site (Right)
The top-level domain hxxp://za***if***i**pl*ce[.]com/ takes the form of an open directory like the phishing site that was previously introduced in the blog, and uses the same beautysalon template.
Figure 2. Previous phishing site (Left) and latest site (Right)
Also, their subdirectory structures are identical, and include e-mail addresses where the phishing information will be sent to and some strings of the directory names.
There are no significant changes in the script code. As seen below, the user information is sent to a certain e-mail.
Figure 3. Part of script that sends Daum e-mail account (royal.php)
Besides the site explained above, there are websites of other domains that have a similar structure as the samples above. It appears that the attacker is forming specific domains that include various phishing scripts and is utilizing them to attack users.
As e-mail services mentioned above are used in various companies and phishing scripts are distributed through e-mails, users should not open attachments in suspicious e-mails, taking extra caution. Also, V3 should be updated to the latest version to prevent malware infection firsthand.
[File Detection]
- Phishing/PHP.Generic
