A currently ongoing mobile-aware phishing campaign is targeting various non-governmental entities worldwide, including United Nations humanitarian organizations such as UNICEF, Lookout reports.
The attacks rely on infrastructure that has been live since March 2019 and which includes two domains hosting phishing content, namely session-services[.]com and service-ssl-check[.]com.
The domains resolve to IP addresses 111.90.142.105 and 111.90.142.91 and Lookout has discovered that the associated IP network block and ASN (Autonomous System Number) has a low reputation and was previously observed hosting malware.
What makes the campaign stand out, however, is its ability to detect mobile devices and to log keystrokes as soon as they are entered on the phishing page.
JavaScript code on the fraudulent pages can determine if a mobile device is being used and then delivers mobile-specific content to the user. The attack also relies on the fact that mobile web browsers truncate the URL, which makes it more difficult for the victims to discover the deception.
The password field on the phishing login pages contains key-logging functionality, meaning that the entered characters are still sent to the attackers even if the target doesn’t complete the login operation (by pressing the login button).
Lookout’s security researchers also discovered that some of the SSL certificates used in the campaign are expired, as they had two main ranges of validity: May 5, 2019 to August 3, 2019, and June 5, 2019 to September 3, 2019.
Such certificates are immediately detected by browsers, which alert users on the matter using very clear warnings that should make it “near impossible to entice a user to enter their login credentials,” Lookout says.
However, given that six certificates used in the campaign continue to be valid, Lookout ..
Support the originator by clicking the read the rest link below.
