On July 21st, the ASEC analysis team discovered the distribution of phishing email disguised as Daum, one of Korea’s portal websites. The email was made to resemble an estimate request by including RFQ on the title. It uses its attachment to lead the user to a phishing webpage.
Figure 1. Phishing e-mailThe attachment is an HTML file, and opening the file automatically redirects the user to the following URL.
- hxxps://euoi8708twufevry4yuwfywe8y487r.herokuapp[.]com/sreverse.php
Figure 2. Source code of the HTML attachmentAfter redirection, the phishing webpage (see Figure 3 on the left) disguised as Daum is displayed. It is nearly identical to the portal’s actual login page (Figure 3 on the right). Unlike the actual webpage, the phishing page’s buttons do not work except for the login button.
Figure 3. Comparison between phishing website (left) and actual portal webpage (right)If the user clicks the login button after entering account credentials, the information is sent to the URL shown below (see Figure 4). The phishing webpage displays a text saying the password is wrong, prompting the user to enter the account credentials again.
- hxxps://kikicard[.]shop/0ragnar2/out.php
Figure 4. Data sent when clicking the login buttonClicking the button will send the account credentials again. The user will then be redirected to the domain URL of the account ID.
As phishing emails have diverse patterns, users should take caution. They should not open attachments from emails sent from unknown sources. Should a login page pops up, users should check the URL before logging in.
AhnLab’s anti-malware software, V3, is currently detecting and blocking the files using the following aliases.
Figure 5. V3 detection information[File Detection]
Phishing/HTML.Generic
[IOC Info]
b24b1202ed74b3d10c9e0be0945cff37
hxxps://kikicard[.]shop/0ragnar2/out.php
hxxps://euoi8708twufevry4yuwfywe8y487r.herokuapp[.]com/sreverse.php
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Phishing Email Disguised as Korean Web Portal Page (Daum) appeared first on ASEC BLOG.
Article Link: Phishing Email Disguised as Korean Web Portal Page (Daum) - ASEC BLOG