On January 3rd, the ASEC analysis team covered a situation where a fake Kakao login page was used to steal the account credentials of certain individuals.
The team has confirmed that the threat actor used a vulnerable website to create a domain. The same method described in the above post was used to create a fake Naver login page, and we will be covering it in this post.
Emails impersonating Naver Help and web pages trying to steal account credentials through emails have been confirmed regularly for the past several years.
However, the same domain being used to create not only a fake Kakao web page, but now also a fake Naver web page has recently been found.
Seeing that users are led to a “Reconfirm Password” page, we can assume that this URL is distributed with a phishing email that advises users to change their account credentials.
The login ID is filled in automatically upon accessing the URL. If data is inputted into the password section, the account credentials get leaked to the threat actor’s server.
The page disguised as a Naver login screen might seem flimsy if you consider that it autocompletes your ID along with the “@naver.com” domain name, but the threat actor must have considered the chance of users growing suspicious and clicking various buttons as every button is adequately linked to both real and fake pages.
As shown in the figure below, when the user image on the top right is clicked, out of the buttons “My Pay Points” (Balance is shown on original page)/”My Blog”/”Joined Cafes”/”Naver Plus Membership”, everything other than “Naver Plus Membership” lead to normal Naver web pages. The “Naver Plus Membership” button is linked to a forged page that contains the same service ads as the original website.
When the user clicks the “Start Free Trial Now” button on the bottom of the page in the above figure, they are redirected back to the “Reconfirm Password” page created by the threat actor.
Additionally, the “See All Services” button on the top right is connected to ” http://www.naver.com/more.html ” on the original website. However, as shown below, users are taken to a domain that starts with wwwid from the page created by the threat actor.
According to the information confirmed by the ASEC analysis team so far, it seems that the threat actor is using a website created with “Gnuboard 4”.
This CMS (Contents Management System), which is known to be a PHP-based open-source installer Internet BBS program, was upgraded to “Gnuboard 5” on March 2013. However, there are still many “Gnuboard 4” based websites with numerous vulnerabilities in existence.
Judging from the reverse DNS data-related IP/domain addresses and relevant files collected by the ASEC analysis team, it is assumed that the Kimsuky group is behind this act.
We hereby disclose that there are still fake Kakao/Naver web pages that have been created using numerous domains, and attacks are still occurring as the autocompleted ID is being changed frequently. The team confirmed that the autocompleted ID on the page disguised as a Kakao login screen was changed after 2 days from a media reporter’s account to the main account of a certain member organization affiliated with the Ministry of Unification. We were able to observe that the autocompleted ID in the above URL was also changed after a short period of time.
With the implementation of the easy login feature that allows users to log in with accounts linked to the app, we believe that they are trying to make users log in without thinking. Users must never login into web pages with unknown authentication statuses, and should make sure to set up 2-factor authentication in case their account credentials do get stolen to prevent their accounts from being used elsewhere.
Furthermore, website owners must check if their sites are using a vulnerable version of their framework and are advised to update to the latest version offered by their provider.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.