Jump to content
Login new information ×
Remember, Matrix ×
Login new information
Donations campaign phase one 2024

Attackers target United Nations staff to steal their user credentials in a new phishing campaign

The AchieVer

By The AchieVer
in Security & Privacy News

Recommended Posts

The AchieVer

The AchieVer

Posted
Posted

Attackers target United Nations staff to steal their user credentials in a new phishing campaign

 

nations,united,headquarters,logo,new,york,un,america,american,buliding,city,conference,door,entrance,front,glass,meeting,nation,nyc,people,sign,states,trademark,usa
 
  • Hackers are stealing the employees’ user credentials for resale on criminal forums and marketplaces.
  • A phishing site masquerading as a login page for the United Nations Unite Unity is used to trick the victims.

Security researchers have discovered a new phishing campaign that targets the United Nations staff. Through the campaign, the hackers are stealing employee credentials for reselling on criminal forums and marketplaces.

How does it work?

Researchers at Anomali Labs foundthat a phishing site masquerading as a login page for the United Nations Unite Identity was used to trick the victims. The UN Unite Identity is a single sign-on (SSO) application used by UN staff. 

When visitors attempt to login into the fraudulent page, their browser is redirected to a bogus invitation for a film viewing at the Poland Embassy in Pyongyang.

The fake login page that bears a resemblance to the legitimate one has been found to be 'cloud[.]unite[.]un[.]org[.]docs-verify[.]com'.

“When navigating to the suspicious subdomain, users are displayed with a phishing site mimicking a United Nations’ Unite Identity login page. The phishing site requests users enter their email address ending in @un[.]org and Unite Identity password. The phishing page, a cloned version of the legitimate site, warns users of fake UN websites designed to steal usernames and passwords as well as provides a copy of the website address for the legitimate Unite Identity login page,” the researchers explained.

Domain and IP Address analysis

‘Whois’, a domain that lookups for domain registrant information, found that the ‘verify[.]com was registered with Malaysian Registrar and Hosting provider Shinjiru Technology Sdn Bhd on August 1, 2018. The parent domain and the associated IP addresses that are a part of the campaign resolved to the Malaysia-based IP address 111.90.142[.]52 belonging to Shinjiru Technology Sdn Bhd - which is the host for 33 total domains.

The researchers noted that, “A review of these 32 additional domains uncovered multiple suspect sites which include phishing sites targeting Visa Vanilla Gift Cards, Caixa Bank of London, and First Texas Bank.”

 

 

 

Source

Link to comment
Share on other sites
  • Views 351
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...