The ASEC analysis team has identified the distribution of a malicious website in Korea that aims to steal account credentials from a famous Korean email service website.
The phishing website the email is redirected to is disguised as a login page for a Korean email website, and over 50 cases in Korea were confirmed to have accessed the website. Thus users must take particular caution when logging into this email website.
The phishing website is disguised as the login page for the Korean email service as shown below, and when the user enters their ID and password for their account and clicks ‘Login’, the input account credentials are forwarded to the threat actor’s server (hxxps://as-massage[.]ch/wp-includes/mindx/nkuego.php), and ultimately, the user is redirected to the normal website for complete deception.
A total of 2 phishing websites disguised as this email service have been confirmed until now, and It is likely there are other unidentified URLs as well.
|Account Siphoning URL
– hxxps://trinimcvx.000webhostapp[.]com/post.phpConfirmed phishing websites
Confirmed phishing websites
V3 Lite is currently responding by blocking the URL as shown below.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.