Phishing Email Disguised as a Well-Known Korean Web Portal

The ASEC analysis team has recently discovered a phishing email that impersonates a well-known Korean web portal to collect user credentials. The phishing email demands the users to upgrade the mailbox storage, prompting them to click the link. Upon clicking the link, the user is redirected to the phishing page that prompts the users to enter their password.

The figure below shows the subject and the details of the email, and the link redirects the user to the phishing page.

Figure 1. Subject and details of the email

Upon clicking the link in the email, the user is redirected to the phishing page disguised as a well-known Korean web portal (see figure below).

  • Phishing website URL: hxxp://www.eylulrentacar[.]com/indexh.html
Figure 2. Phishing page

Unlike normal web portal login pages, the phishing page does not provide features such as one-time-use number, QR code, find ID, reset password, and sign-up.

Figure 3. One-time-use number and QR code login feature of a normal page

The checkInput function is then enabled via the login button on the phishing page. The checkInput function checks whether the password is entered, then sends the collected information to the attacker’s server via the send function.

Figure 4. Sending account credentials

Figure 5. Sending account credentials – 2

  • C2 server: hxxps://v2.faj[.]ma/wordpress/wp-includes/js/tinymce/plugins/wordpress/plugins.php

Not only does the send function send account credentials to the attacker’s server, but it also checks the frequency of the process with the count variable to redirect the user to a normal web portal login page when a phishing website has already attempted sending to avoid detection.

Figure 6. send function

In order to prevent damage from such phishing emails, users must be vigilant when clicking a link in unknown emails and should check the URL of the link to see whether the features of the page operate normally.

AhnLab currently blocks the domain of this phishing page.

[IOC Info]

  • hxxp://www.eylulrentacar[.]com/indexh.html
  • hxxps://v2.faj[.]ma/wordpress/wp-includes/js/tinymce/plugins/wordpress/plugins.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Phishing Email Disguised as a Well-Known Korean Web Portal appeared first on ASEC BLOG.

Article Link: Phishing Email Disguised as a Well-Known Korean Web Portal - ASEC BLOG