The ASEC analysis team has been building a honeypot to collect various malware strains that are being distributed both in Korea and overseas. The honeypot also collects phishing emails and recently caught one targeting Korean users, which was being distributed continuously to Korean email accounts only since August.
The phishing website the email is redirected to is disguised as a login page for a Korean groupware site, and over 2,500 cases were confirmed to access the website. Thus users must take particular caution when logging into groupware websites.
This phishing website’s URL is not only distributed through email but is also exposed among the top search results of the Google search engine. This means users’ account credentials can be easily leaked if they are not careful.
The phishing emails that have been distributed until recently mainly contain information regarding expired passwords or account deactivation.
A total of 5 phishing websites disguised as this groupware have been confirmed this year. It is likely there are other unidentified URLs as well.
– hxxps://5imk2-hiaaa-aaaad-qdtoa-cai.ic.fleek[.]co/?#(email account)
– hxxps://55l3x-gaaaa-aaaad-qdtnq-cai.ic.fleek[.]co/?#(email account)
– hxxps://5tjw7-5qaaa-aaaad-qdtmq-cai.ic.fleek[.]co/?#(email account)
– hxxps://siasky[.]net/OACzNPwRNbE5E1QBOVNanLc5pfd4RiKlb0JwLvQvHK3Elg?#(email account)
Account Leaking URL
Among the list, the top 3 websites in terms of accessed users are shown below. The URL with over 2,000 users has been distributed since the beginning of this year, and those that have over 100 users have been distributed since August.
Users must check the URL when clicking a link included in their emails and not open attachments in emails sent from unknown sources. Also, when users are asked for their account credentials, they must check the URL again to confirm that the website they are logging into is indeed the one they are intending to access.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post <strong>Phishing Websites Disguised as Korean Groupware Login Website Being Distributed</strong> appeared first on ASEC BLOG.