Phishing Site Targeting Domestic E-mail Service Users (Part 2)

The ASEC analysis team has been sharing information about various phishing e-mails in the ASEC blog. This time, the team aims to inform users about another discovered phishing site that targets domestic e-mail service users to distribute malware.

The recently confirmed phishing site targets Naver Mail (mail.naver), Daum Mail (mail2.daum), and hiworks users to collect their information such as IDs, passwords, and user IPs. It then sends the information to the attacker’s e-mail.

Figure 1. Previous blog site (Left) and recent blog site (Right)

The top-level domain hxxp://za***if***i**pl*ce[.]com/ takes the form of an open directory like the phishing site that was previously introduced in the blog, and uses the same beautysalon template.

Figure 2. Previous phishing site (Left) and latest site (Right)

Also, their subdirectory structures are identical, and include e-mail addresses where the phishing information will be sent to and some strings of the directory names.

There are no significant changes in the script code. As seen below, the user information is sent to a certain e-mail.

Figure 3. Part of script that sends Daum e-mail account (royal.php)

Besides the site explained above, there are websites of other domains that have a similar structure as the samples above. It appears that the attacker is forming specific domains that include various phishing scripts and is utilizing them to attack users.

As e-mail services mentioned above are used in various companies and phishing scripts are distributed through e-mails, users should not open attachments in suspicious e-mails, taking extra caution. Also, V3 should be updated to the latest version to prevent malware infection firsthand.

[File Detection]

  • Phishing/PHP.Generic

[IOC]

  • E-mail sender address

larrykolman123@gmail[.]com
kesslerbrian80@gmail[.]com
jasonbiden7@gmail[.]com
jacksonwill4500@gmail[.]com
alfredrichy85@gmail[.]com 
aalexdylaan@gmail[.]com   
ahmedwaris101@gmail[.]com

  • File MD5

de9030f4f1e0796e5005546ffc70ebda
3ffc647553d2b619edbc4f8d91e07760
919f244f15bcbf7a78720780ad2c5a41
028cd20833cfee20bc1dc4059c44aafe
4c60f22dff46a25a235698a28bbac19b
c7cc37fcd43fd06bd3766f254d7c11cf
2d437adbb81d6824ac735cc63d36c228
980e3483f9072a756a6beb80c21fac95
32bded85b6cd7da62fc0bbe25c2e6f63
1256fd91aa3dc53ba1e9c85e0825a6f2
6364c2d3ec1e745c9ad3aa71ccac3c13

5 2 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments