Phishing Website Disguised as a Famous Korean Email Login Website Being Distributed

The ASEC analysis team has identified the distribution of a malicious website in Korea that aims to steal account credentials from a famous Korean email service website.

The phishing website the email is redirected to is disguised as a login page for a Korean email website, and over 50 cases in Korea were confirmed to have accessed the website. Thus users must take particular caution when logging into this email website.

Figure 1. Normal webpage (left) vs phishing webpage (right)

The phishing website is disguised as the login page for the Korean email service as shown below, and when the user enters their ID and password for their account and clicks ‘Login’, the input account credentials are forwarded to the threat actor’s server (hxxps://as-massage[.]ch/wp-includes/mindx/nkuego.php), and ultimately, the user is redirected to the normal website for complete deception.

Figure 2. The account stealing logic inside the phishing website’s javascript

Figure 3. Stealing the account credentials

Figure 4. Redirection to the normal website

A total of 2 phishing websites disguised as this email service have been confirmed until now, and It is likely there are other unidentified URLs as well.

Account Siphoning URL
– hxxps://as-massage[.]ch/wp-includes/mindx/nkuego.php
– hxxps://trinimcvx.000webhostapp[.]com/post.phpConfirmed phishing websites

Confirmed phishing websites


Figure 5. Number of users who have accessed the above phishing website

V3 Lite is currently responding by blocking the URL as shown below.

Figure 6. V3 blocking phishing website

[IOC Info]



Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments