Daum Phishing E-mails Disguised as ‘Purchase Order’ being Distributed

One of the most frequently used methods for the distribution of malware is using phishing e-mails. The ASEC analysis team has introduced specific phishing attacks as well as the types of phishing e-mails in previous blog posts.

Trend of Phishing Spreading Through Spam Mails

Similar to the previous cases, the team has found a phishing e-mail that aims to leak Daum account credentials. Considering that the e-mail has a specific university set as its sender and recipient (see Figure 1), it appears that it was written to collect the account credentials of a specific target.

Figure 1. E-mail distributed to a specific university

The e-mail disguises itself as a purchase order and tricks the user into running the attached HTML and enter their account credentials. The page on the left of the figure below is displayed when the attached HTML script is run. There is a clear difference when compared to the normal screen on the right, but it can be easily mistaken as a normal page when running the script without a second thought.

Figure 2. Phishing page (left), normal page (right)

When the user enters the user ID and the password and clicks the login button, user credentials are leaked to a certain address. The leaked ID and the password as well as the country of access and the access time are saved to the server that had been built by the attacker as shown below.

  • Info-leaking URL: hxxps://bo***ken**[.]com/start/startup/setup/dkuboinsd.php
  • Collected information upload URL: hxxps://bo***ken**[.]com/start/startup/setup/name.txt
Figure 3. Phishing website

Figure 4. Leaked user information

As shown above, even in cases of e-mails from a seemingly reliable sender, users must take extra caution when opening an attachment or an internal URL. Also, V3 should be updated to the latest version to prevent malware infection firsthand. AhnLab’s anti-malware solutions detect and block the script files above using the following alias.

[File Detection]

  • Phishing/HTML.Generic

[IOC]

  • f1cd69021bac49587770fd487bb723fb
  • hxxps://bo***ken**[.]com/start/startup/setup/dkuboinsd.php
  • hxxps://bo***ken**[.]com/start/startup/setup/name.txt

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Daum Phishing E-mails Disguised as ‘Purchase Order’ being Distributed appeared first on ASEC BLOG.

Article Link: Daum Phishing E-mails Disguised as 'Purchase Order' being Distributed - ASEC BLOG