The ASEC analysis team has identified the distribution of a malicious website in Korea that aims to steal account credentials from a famous Korean email service website.
The phishing website the email is redirected to is disguised as a login page for a Korean email website, and over 50 cases in Korea were confirmed to have accessed the website. Thus users must take particular caution when logging into this email website.
Figure 1. Normal webpage (left) vs phishing webpage (right)
The phishing website is disguised as the login page for the Korean email service as shown below, and when the user enters their ID and password for their account and clicks ‘Login’, the input account credentials are forwarded to the threat actor’s server (hxxps://as-massage[.]ch/wp-includes/mindx/nkuego.php), and ultimately, the user is redirected to the normal website for complete deception.
Figure 3. Stealing the account credentials
Figure 4. Redirection to the normal website
A total of 2 phishing websites disguised as this email service have been confirmed until now, and It is likely there are other unidentified URLs as well.
Account Siphoning URL
– hxxps://trinimcvx.000webhostapp[.]com/post.phpConfirmed phishing websites
Confirmed phishing websites
Figure 5. Number of users who have accessed the above phishing website
V3 Lite is currently responding by blocking the URL as shown below.
Figure 6. V3 blocking phishing website
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Phishing Website Disguised as a Famous Korean Email Login Website Being Distributed appeared first on ASEC BLOG.
Article Link: Phishing Website Disguised as a Famous Korean Email Login Website Being Distributed - ASEC BLOG