On July 21st, the ASEC analysis team discovered the distribution of phishing email disguised as Daum, one of Korea’s portal websites. The email was made to resemble an estimate request by including RFQ on the title. It uses its attachment to lead the user to a phishing webpage.
The attachment is an HTML file, and opening the file automatically redirects the user to the following URL.
After redirection, the phishing webpage (see Figure 3 on the left) disguised as Daum is displayed. It is nearly identical to the portal’s actual login page (Figure 3 on the right). Unlike the actual webpage, the phishing page’s buttons do not work except for the login button.
If the user clicks the login button after entering account credentials, the information is sent to the URL shown below (see Figure 4). The phishing webpage displays a text saying the password is wrong, prompting the user to enter the account credentials again.
Clicking the button will send the account credentials again. The user will then be redirected to the domain URL of the account ID.
As phishing emails have diverse patterns, users should take caution. They should not open attachments from emails sent from unknown sources. Should a login page pops up, users should check the URL before logging in.
AhnLab’s anti-malware software, V3, is currently detecting and blocking the files using the following aliases.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.