The ASEC analysis team recently identified a fake Kakao login page attempting to gain access to the account credentials of specific individuals. The specific route through which users first arrive on these pages is unknown, but it is assumed that users were led to log in via web on a page whose link is provided in phishing emails.
When the user arrives on the web page, the ID of the Kakao account is autocompleted, as shown in Figure 1 below. It is created identically to the original format of the Kakao login page (Figure 2) where users can log in by just entering their email ID if they have a Kakao email address.
Based on the continuous monitoring of North Korea-related activities by the ASEC analysis team, we can consider the possibility that the affected IDs were used in ‘kakao.com’ or ‘hanmail.net’ accounts through the characteristics of their original formats. As such, we can also infer that trade, media, and North Korea-related individuals and organizations pertinent to the autocompleted IDs were targeted.
Below is the information assumed about some of the autocompleted accounts on the login screen.
- a***d: University professor
- ya***2: Broadcasting station reporter
- sh***her: North Korean business support group
Because the URL of the login page also begins with accountskakao (see Figure 4), users who arrive on this web page are highly prone to enter their password without a second thought.
- (Original): https://accounts.kakao.com
- (Malicious): hxxp://accountskakao.pnbbio[.]com, hxxp://accountskakao.koreawus[.]com
In particular, some of the URLs of the identified login pages have shown that after a certain period of time, they induce login after changing the user ID. Considering the possibility that the same ID as the hanmail.net ID may be used, the change of user ID seems to be for the purpose of obtaining account credentials of media companies and reporters. When a user attempts to log in, the GET method siphons the ID and password to the server created by the threat actor, as shown below.
As such a carefully crafted login page intended to deceive users has been identified, users must be particularly cautious about opening emails from untrusted senders. Additionally, if a login process that involves syncing with a different application is needed while web surfing, users are advised to determine if the URL of the accessed page is the original domain by checking the correct URL address and certificate before proceeding.
V3 blocks the domains mentioned in this post.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.