Distribution of Phishing Emails Targeting Korean Research Institutes and Companies

The ASEC analysis team has discovered the distribution of phishing emails targeting Korean research institutes and companies to steal passwords. The phishing email impersonated an international transport company, requesting the user to submit custom information, and open the attachment file to prompt the user to click the URL. Upon clicking the link in the email, the user is redirected to a phishing page that prompts the user to enter their password. As the team has also discovered cases of distribution targeting numerous companies including research institutes, caution is advised.

The collected sample is disguised as an (expected) freight arrival notice email, impersonating a well-known overseas transport company. The details of the email prompt the user to click the link so that the user would enter customs information, and upon clicking the link, the user is redirected to a phishing page.

Figure 1. Phishing sample 1

In another sample, the email tricks the user to think that an attachment file exists in the email (see figure 2). The part with the attachment file information is actually a picture inserted with a hyperlink that redirects the user to a phishing page upon clicking it. It also impersonated a well-known transport company.

Figure 2. Phishing sample 2

The phishing page displays a message saying that the session has expired, prompting the user to enter their password. The password that the user entered is sent to the attacker’s server via the GET method. The format of the address of the phishing pages used in the samples above is as follows:

http://survoltropic[.]pt/consequuntursed/koream/koream.php?main_domain=[Redirection URL]&email=[메Email Account]&subdomain=[URL]

The phishing page loads the [Redirection URL] page via Iframe, prints it, then overlays it to make it seem like it is disabled.

Figure 3. Redirection URL load of the phishing page and overlay creation code

It then loads an object with a form to enter the password. The object prints the Favicon of [Redirection URL] and includes the account information of the sender of the email. Ultimately, it is disguised as a session expired notification of actual webmail. After two attempts of entering 6 or more characters in the password form and pressing the login button, the user is redirected to [Redirection URL].

Figure 4. Code for sending password and redirection

The example below has the background of the ASEC blog, but in the actual case of distribution, the background is set as the email service of the target company of the attack.

Figure 5. Example of phishing page

As attacks targeting local governments overseas that use the same domain have been discovered as well, users must remain vigilant. Users should refrain from opening attachment files from unknown sources and never input their personal information.

AhnLab blocks the domains of these phishing pages.

[IOC Info]

  • hxxp://survoltropic[.]pt

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.


0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments