Phishing Email Impersonating Quasi-governmental Organization Being Distributed

The ASEC analysis team has recently detected the distribution of a phishing email impersonating a non-profit quasi-governmental organization. Since the email is using a webpage disguised as a login page of GobizKOREA serviced by Korea SMEs and Startups Agency (KOSME), users who are working in the trading industry should take extra caution.

The figure below shows the email’s subject and body.
It tells the reader that a new inquiry from a buyer was registered. Since all five hyperlinks in the email redirect to a webpage disguised as GobizKOREA’s login page, clicking any of the links will redirect the reader to the fake webpage.

Figure 1. Phishing email impersonating quasi-governmental organization

Figure 2. Hyperlinks in the email body

Clicking the hyperlinks in the email will show a login page as shown below.
The email address cannot be changed because the input type’s style tag—which is used as a text field—is set as read only.

Figure 3. Phishing HTML prompting users to log in

Figure 4. Script code almost identical to typical phishing HTMLs

The script code of the HTML file shows little variation from other phishing files.
After users enter the password and click the button to log in, their account credentials will be leaked to the attacker’s server via the POST method.

The acquired credentials may be sold or abused.
Since people generally use the same or similar passwords on most of the websites they use, further damage may occur due to such attacks. Hence, users should be wary of phishing emails.

Figure 5. Notices on the official website of GobizKOREA ( warning about spam emails

GobizKOREA has been alerting its members about such emails since 2019 on its official website.
The notices explain that the organization never sends any email requesting users to pay and warn them not to log in via such emails.

The phishing emails that are continuously being detected have one thing in common: while the level of sophistication may vary, they all prompt users to enter the account credentials in webpages redirected via attachments or links in the email.
Therefore, users should refrain from entering IDs and passwords on webpages unless they have directly accessed the official website.

AhnLab is currently blocking domains related to the phishing website.

[File Detection]

  • Phishing/HTML.Generic (2022.12.05.03)

[IOC Info]

  • hxxps://akaefe.duckdns[.]org
  • hxxps://ghomud.duckdns[.]org

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Phishing Email Impersonating Quasi-governmental Organization Being Distributed appeared first on ASEC BLOG.

Article Link: Phishing Email Impersonating Quasi-governmental Organization Being Distributed - ASEC BLOG