Phishing Websites Disguised as Korean Groupware Login Website Being Distributed

The ASEC analysis team has been building a honeypot to collect various malware strains that are being distributed both in Korea and overseas. The honeypot also collects phishing emails and recently caught one targeting Korean users, which was being distributed continuously to Korean email accounts only since August.

The phishing website the email is redirected to is disguised as a login page for a Korean groupware site, and over 2,500 cases were confirmed to access the website. Thus users must take particular caution when logging into groupware websites.

Figure 1. Normal vs Phishing webpage

This phishing website’s URL is not only distributed through email but is also exposed among the top search results of the Google search engine. This means users’ account credentials can be easily leaked if they are not careful.

Figure 2. The phishing website shown among the top search results (bottom of the screen)

The phishing emails that have been distributed until recently mainly contain information regarding expired passwords or account deactivation.

Figure 3. Phishing emails currently being distributed

When users access the phishing website, they will find it hard to distinguish it from the normal website unless they pay good attention to it. The script is similar to the original website as well. In the malicious website, expanding the javascript at the bottom of the script will show that the script has been modified.

Figure 4. The account stealing URL inside the phishing website’s javascript

A total of 5 phishing websites disguised as this groupware have been confirmed this year. It is likely there are other unidentified URLs as well.

Phishing URLs
– hxxps://5imk2-hiaaa-aaaad-qdtoa-cai.ic.fleek[.]co/?#(email account)
– hxxps://55l3x-gaaaa-aaaad-qdtnq-cai.ic.fleek[.]co/?#(email account)
– hxxps://5tjw7-5qaaa-aaaad-qdtmq-cai.ic.fleek[.]co/?#(email account)
– hxxps://siasky[.]net/OACzNPwRNbE5E1QBOVNanLc5pfd4RiKlb0JwLvQvHK3Elg?#(email account)
– hxxps://gfyyyryrye.steep-rice-1b7d.izulink0047002.workers[.]dev/

Account Leaking URL
– hxxps://dev-onaebe-all.pantheonsite[.]io/wp-content/cp.php
Confirmed phishing websites

Among the list, the top 3 websites in terms of accessed users are shown below. The URL with over 2,000 users has been distributed since the beginning of this year, and those that have over 100 users have been distributed since August.

Figure 5. The top 3 phishing websites in terms of accessed users

Users must check the URL when clicking a link included in their emails and not open attachments in emails sent from unknown sources. Also, when users are asked for their account credentials, they must check the URL again to confirm that the website they are logging into is indeed the one they are intending to access.

[IOC Info]

hxxps://5imk2-hiaaa-aaaad-qdtoa-cai.ic.fleek[.]co/?
hxxps://55l3x-gaaaa-aaaad-qdtnq-cai.ic.fleek[.]co/?
hxxps://5tjw7-5qaaa-aaaad-qdtmq-cai.ic.fleek[.]co/?
hxxps://siasky[.]net/OACzNPwRNbE5E1QBOVNanLc5pfd4RiKlb0JwLvQvHK3Elg?
hxxps://gfyyyryrye.steep-rice-1b7d.izulink0047002.workers[.]dev/
hxxps://dev-onaebe-all.pantheonsite[.]io/wp-content/cp.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,

0 0 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments