Researchers have brought to light a longstanding phishing campaign aimed at the UN and its various networks, and a variety of humanitarian organizations, NGOs, universities and think tanks.
Some of these phishing pages are still up and are still not flagged as malicious by Google Safe Browsing, they warned.
The campaign is ongoing
The targeted organizations include the UN and its World Food Programme and Development Programme, UNICEF, the Heritage Foundation (an American conservative think tank), the International Federation of the Red Cross and Red Crescent Societies, the United States Institute of Peace (an independent, federal institution that provides analysis of and is involved in conflicts around the world), Concern Worldwide (Ireland’s largest aid and humanitarian agency), and many others.
The phishing pages are made to look like the organizations’ Office 365 login page for employees, as compromised Office 365 credentials provide attackers an entry point into organizations and enable them to launch stealthy insider attacks and collect sensitive information.
The phishing pages have key logging functionality embedded in the password field, so that everything entered into that field is sent to a C&C server, even if the potential victim fails to press the login button. Also, they are able to detect mobile visitors and present them with a mobile-friendly version.
“Mobile web browsers also unintentionally help obfuscate phishing URLs by truncating them, making it harder for the victims to discover the deception,” Lookout researcher Jeremy Richards has pointed out.
The researchers found that the infrastructure connected to these attacks has been live since March 2019 and the pages were/are hosted on two domains.
“SSL certificates used by the phishing infrastructure had two main ranges of validity: May 5, 2019 to August 3, 2019, and June 5, 2019 to September 3, 2019. Currently six certificates are still valid, and Lookout suspects that these attacks may still be ongoing,” Richards noted (though since the publication of their findings the sites with valid certificates have all become unavailable.)
Kevin Bocek, VP security strategy & threat intelligence, Venafi, noted that phishers are taking advantage of the implicit trust users have in the green padlock created by TLS certificates.
“Internet users have been trained to look for a green padlock when they visit websites, and bad actors are using SSL/TLS certificates to impersonate all kinds of organizations. This may appear sophisticated, but these kinds of phishing attacks are very common. For example, in 2017, security researchers uncovered over 15,000 certificates containing the word ‘PayPal’ that were being used in attacks. And in June 2019, the FBI issued a warning stating that the green padlock on websites doesn’t mean the domain is trustworthy and safe from cyber criminals,” he added.
There’s no mention of who might be behind the attacks. State-sponsored hackers who are after sensitive information seem like the most likely culprit, though charities and humanitarian organizations are also often targeted by scammers who are after money, so who knows?