March 19, 2019
-
Anomali Threat Research
,

“Bad Tidings” Phishing Campaign Impersonates Saudi Government Agencies and a Saudi Financial Institution

<h2>Executive Summary</h2><p>In January 2019, researchers from Anomali Labs and Saudi Telecom Company (STC) observed a spike in phishing websites impersonating the Saudi Arabian Ministry of Interior’s e-Service portal known as “Absher”. Further analysis uncovered a broader phishing campaign targeting four different Kingdom of Saudi Arabia government agencies and a single Saudi-based financial institution. The campaign dates back to least late-November 2016 in which over 90 confirmed phishing hostnames (46 unique domains) were created to target at least five KSA entities. Given the attackers targeting affinity for the Saudi Ministry of Interior’s Absher portal, which represents close to 60 percent of the KSA-related phishing sites, we have named the campaign “Bad Tidings” after the English language translation “Good Tidings” of the Arabic language word “Absher”.</p><p>Prior to release of this blog post, Anomali and STC have been coordinated with the National Cybersecurity Authority (NCA) and Saudi CERT to address this security concern. We also submitted the phishing sites to <a href="https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en" target="_blank">Google Safe Browsing</a> and <a href="https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site-guest" target="_blank">Microsoft Defender Security Intelligence</a> as an additional security measure to block the fraudulent websites.</p><h2>Bad Tidings Campaign Overview</h2><p>The Bad Tidings Campaign is an ongoing phishing campaign that began on or about November 21, 2016 and known for targeting four Kingdom of Saudi Arabia government agencies with a single occurrence against a Saudi-based financial institution. Since late-November 2016, our researchers have observed 95 unique phishing hostnames created either using misspelled, alternative top level domains (TLDs) other than the legitimate gov.sa domains, or punycode-based sites. To date, the attacker(s) have targeted the following KSA entities:</p><table class="table table-bordered table-striped" style="table-layout:fixed"><thead><tr><th scope="col">First Seen</th><th scope="col">Last Seen</th><th scope="col">KSA Entity</th><th scope="col">Number of Observed Phishing Sites</th></tr></thead><tbody><tr><td style="word-wrap: break-word">12/17/2017</td><td style="word-wrap: break-word">3/16/2019</td><td style="word-wrap: break-word">Ministry of Interior (Absher)</td><td style="word-wrap: break-word">54 (56.84%)</td></tr><tr><td style="word-wrap: break-word">8/16/2017</td><td style="word-wrap: break-word">3/17/2019</td><td style="word-wrap: break-word">Saudi Government</td><td style="word-wrap: break-word">18 (18.95%)</td></tr><tr><td style="word-wrap: break-word">1/4/2018</td><td style="word-wrap: break-word">3/18/2019</td><td style="word-wrap: break-word">Ministry of Foreign Affairs</td><td style="word-wrap: break-word">14 (14.74%)</td></tr><tr><td style="word-wrap: break-word">8/16/2017</td><td style="word-wrap: break-word">3/16/2019</td><td style="word-wrap: break-word">Ministry of Labor and Social Development</td><td style="word-wrap: break-word">7 (7.37%)</td></tr><tr><td style="word-wrap: break-word">2/17/2019</td><td style="word-wrap: break-word">2/19/2019</td><td style="word-wrap: break-word">Saudi British Bank</td><td style="word-wrap: break-word">2 (2.11%)</td></tr></tbody></table><h3>Characteristics of Bad Tidings Phishing Sites</h3><p>The phishing hostnames created during this campaign employ multiple spoofing techniques to disguise the fraudulent sites. We have observed the attackers create sites using either a single or combined technique of punycode-based spoofing attacks, typosquatting, or SubDomain spoofing attacks. A detailed explanation of these spoofing techniques and their use during the Bad Tidings Campaign can be found below in the “Spoofing Techniques Employed” section. During the campaign, the attackers registered KSA-related fraudulent domains using one of 14 different top level domains (TLDS) with the top five represented by .cc with 30 (31.58%) domains followed by .xyz (17.89%), .club with 12 (12.63%), .site with seven (7.37%), and .services with five (5.26%).</p><p>The phishing sites associated with this campaign typically contain two web pages, a replica of the target entities’ homepage and a faux login page. Upon first look, the fraudulent login pages appear to display the legitimate account access portal but when users provide their userid and password, they are redirected to the initial phishing landing page without logging into the intended resource. Typically, at this stage the phishers have stolen the user’s credentials and are likely to sell them on underground markets or use them to impersonate the victim to commit fraudulent actions.</p><h3>Response from the Saudi Twitter Community</h3><p>The earliest known open source reference of phishing domains associated with the Bad Tidings Campaign appeared on Twitter in a message by the user <a href="https://twitter.com/urlscanio/status/1083084339791958021" target="_blank">@urlscan.io</a> at 1:33 PM EST on Wednesday, January 9, 2019. Following this tweet, we have seen at least three other Twitter users post 15 original messages with the most prolific coming from @SaudiDFIR. In one of <a href="https://twitter.com/SaudiDFIR/" target="_blank">@SaudiDFIR’s</a> most recent <a href="https://twitter.com/SaudiDFIR/status/1107653197458538498" target="_blank">tweets</a> at 9:41 A.M. EST on Monday, March 18, 2019, they described the attackers switching to Registrar NameCheap, which is a new domain registration vendor outside of the typical use of GoDaddy. It is still unclear if this is a change of preferred vendors or an additional Registar used for registering fraudulent domains; however, our researchers continue to monitor the campaign to validate a shift or addition in tactics. A breakdown of Bad Tidings Campaign related tweets can be found in Appendix B - Summary of Tweets Related to the Bad Tidings Campaign.</p><p style="text-align: center;"><em><img alt="Faux websites spoofing the Ministry of Labor, Ministry of Foreign Affairs, Ministry of Interior, Saudi National Portal, &amp; Saudi British Bank" src="https://cdn.filestackcontent.com/Y0MaGPftQMKJwcVrXttC"/><br/> Figure 1. Faux websites spoofing the Ministry of Labor (Top Left), Ministry of Foreign Affairs (Bottom Left), Ministry of Interior (Middle), Saudi National Portal (Top Right), &amp; Saudi British Bank (Bottom Right)</em></p><h2>Spoofing Techniques Employed</h2><h3>Punycode Spoofing</h3><p>Punycode is a method to represent International Domain Names (IDNs) in local language characters which are normally limited by letters (A-Z, a-z), digits (0-9), and hyphens (-) to be supported by the domain name system (DNS). For instance, "المملكة العربية السعودية" (English Translation: Kingdom of Saudi Arabia) would be encoded as "btdbbeedc3dr2a6eg3lpaaegha5fvb" and inserted with the prefix “xn--” resulting in “xn-- -btdbbeedc3dr2a6eg3lpaaegha5fvbi”. In a punycode spoofing attack scenario, the malicious actor registers a domain name using a native format (unicode) that has a punycode form similar to a legitimate domain name. For example, the Ministry of Foreign Affairs parent hostname mofa.gov.sa could be spelled out as ⅿofà[.]ɡоv[.]sä (unicode) and converted into xn--of-kia5154a[.]xn--v-r1a54l[.]xn--s-0fa (punycode).</p><p>The first use of the punycode spoofing technique was on May 24, 2018 and continued over a six month period with the last known one created on December 6, 2018. During this period, the threat actor or group registered a total of 13 unique punycode domains to target three KSA government agencies: KSA Government, MOI, and MOFA. This technique was further combined with a subdomain spoofing attack to create 44 variations impersonating the parent domain of the targeted agencies e.g. moi[.]gov[.]sa[.]xn--mgb[.]cc. The below table represents the 13 unique punycode domains observed in mid to late 2018.</p><table class="table table-bordered table-striped" style="table-layout:fixed"><thead><tr><th scope="col">Creation Date</th><th scope="col">Punycode Domain</th><th scope="col">IDN Domain</th><th scope="col">Spoofed KSA Ministries</th></tr></thead><tbody><tr><td style="word-wrap: break-word">12/6/2018</td><td style="word-wrap: break-word">xn--s-0fa[.]site</td><td style="word-wrap: break-word">sä[.]site</td><td style="word-wrap: break-word">KSA Government, MOI</td></tr><tr><td style="word-wrap: break-word">11/21/2018</td><td style="word-wrap: break-word">xn--s-wha[.]cc</td><td style="word-wrap: break-word">są[.]cc</td><td style="word-wrap: break-word">KSA Government, MOFA, MOI</td></tr><tr><td style="word-wrap: break-word">10/9/2018</td><td style="word-wrap: break-word">xn--s-ufa[.]site</td><td style="word-wrap: break-word">sá[.]site</td><td style="word-wrap: break-word">KSA Government, MOFA, MOI</td></tr><tr><td style="word-wrap: break-word">10/9/2018</td><td style="word-wrap: break-word">xn--s-ufa[.]ws</td><td style="word-wrap: break-word">sá[.]ws</td><td style="word-wrap: break-word">KSA Government, MOI</td></tr><tr><td style="word-wrap: break-word">10/9/2018</td><td style="word-wrap: break-word">xn--s-ufa[.]xyz</td><td style="word-wrap: break-word">sá[.]xyz</td><td style="word-wrap: break-word">KSA Government, MOFA, MOI</td></tr><tr><td style="word-wrap: break-word">9/17/2018</td><td style="word-wrap: break-word">xn--s-0fa[.]cc</td><td style="word-wrap: break-word">sä[.]cc</td><td style="word-wrap: break-word">KSA Government, MOFA, MOI</td></tr><tr><td style="word-wrap: break-word">9/16/2018</td><td style="word-wrap: break-word">xn--a-hrm[.]cc</td><td style="word-wrap: break-word">ṣa[.]cc</td><td style="word-wrap: break-word">KSA Government</td></tr><tr><td style="word-wrap: break-word">8/3/2018</td><td style="word-wrap: break-word">xn----ymcbgcb3bmeyo2w[.]cc</td><td style="word-wrap: break-word"><span>تاشيرة-صادرة[.]cc</span></td><td style="word-wrap: break-word">MOFA</td></tr><tr><td style="word-wrap: break-word">8/1/2018</td><td style="word-wrap: break-word">xn------nzeaabbbafni4f0aeuf8b7a0b6q5aejenl1f[.]xyz</td><td style="word-wrap: break-word">الاستعلام-بواسطة-الرقم-الصادر[.]xyz</td><td style="word-wrap: break-word">MOI</td></tr><tr><td style="word-wrap: break-word">7/31/2018</td><td style="word-wrap: break-word">xn--s-oha[.]cc</td><td style="word-wrap: break-word">sā[.]cc</td><td style="word-wrap: break-word">KSA Government, MOFA, MOI</td></tr><tr><td style="word-wrap: break-word">7/30/2018</td><td style="word-wrap: break-word">xn--s-ufa[.]cc</td><td style="word-wrap: break-word">sá[.]cc</td><td style="word-wrap: break-word">KSA Government, MOFA</td></tr><tr><td style="word-wrap: break-word">7/7/2018</td><td style="word-wrap: break-word">xn--a-0ma[.]cc</td><td style="word-wrap: break-word">şa[.]cc</td><td style="word-wrap: break-word">KSA Government, MOFA, MOI</td></tr><tr><td style="word-wrap: break-word">5/24/2018</td><td style="word-wrap: break-word">xn--mgb[.]cc</td><td style="word-wrap: break-word">ا[.]cc</td><td style="word-wrap: break-word">MOI, MOFA</td></tr></tbody></table><h3>SubDomain Spoofing</h3><p>In the 2018 APWG’s Symposium on Electronic Crime Research, <a href="https://docs.apwg.org/ecrimeresearch/2018/5359941.pdf" target="_blank">two researchers</a> from the Nile University stated that a subdomain spoofing attack, “takes advantage of the fact that the subdomain is displayed in the least significant label order”. An attacker might attempt to confuse the user by registering a third level domain name that seems similar to the authentic domain name, then by crafting a long URL string that contains the fake domain name; a user may be lured into thinking that he or she is accessing the legitimate domain name. For example, the Bad Tidings actor or group registered multiple punycode domains to target KSA government agencies such as the Ministry of Foreign Affairs (MOFA)’s electronic visa services platform (visa.mofa.gov) using the fraudulent site visa[.]mofa[.]gov[.]xn--s-ufa[.]xyz, which closely resembles the authentic MOFA site.</p><h3>Typosquatting</h3><p>Typosquatting is the practice of registering domains that can be confused for the legitimate site or brand name by using spelling or grammatical errors or even the wrong top level domain (TLD). For example, the Absher portal is a web page located underneath the website https://www.moi.gov.sa/; however, malicious actors have appropriated the brand name “Absher” to create typosquatting domains with misspellings and wrong TLDs e.g. abshr[.]xyz or simply wrong TLDs e.g. absher[.]space.</p><h2>Threat Infrastructure Analysis</h2><h3>Whois Record Analysis</h3><p>Upon initial review of Whois record information for the 46 unique domains used in the Bad Tidings Campaign, the threat actor or group provided minimal registrant information. Nonetheless, there were multiple references to Yemen, two Yemeni districts: Al Hada and Sanaa, and two distinct registrant organizations, mdr and WVW. A historical Whois record search for the Yemeni registrants revealed:</p><ul><li><strong>Yemeni Registrant 1</strong> - The registrant named “Anwr Abdu” of registrant organization “WVW” used a free Gmail account (wwvvxx2013{at}gmail[.]com) to register at least four fraudulent domains: moi[.]services, xn--s-ufa[.]site, xn--s-ufa[.]xyz, and ar-saudi[.]xyz. All of the domains were created with Registrar GoDaddy between August 16, 2017 to October 9, 2018. This registrant is listed in Whois records with an undisclosed address in Sanaa, Yemen 00967 with a contact phone number of +967.7102552. This actor is known to created multiple phishing sites to target four KSA government agencies: MOI (Absher), MOFA, Saudi Government, and MLSD.</li><li><strong>Yemeni Registrant 2</strong> - The registrant named “Hgvhud Ali” used a free Gmail account (hgvhud{at}gmail[.]com) to register a single typosquatting domain (sa-r[.]xyz) with Registrar GoDaddy on January 4, 2018. This registrant is listed in Whois records with an undisclosed address in Sanaa, Yemen 00967 with a contact phone number of +967.701913759. As recent as July 1, 2018, we have observed at least one subdomain spoofing attack against the MOFA electronic visa portal using fraudulent hostname visa[.]mofa[.]gov[.]sa-r[.]xyz.</li><li><strong>Yemeni Registrant 3</strong> - The registrant named “Mohammed Alhamad” used a free Hotmail account (mohmoh912{at}hotmail[.]com) to register a single Saudi Government national portal-themed typosquatting domain (ksa[.]services) with Registrar GoDaddy on November 19, 2016. This registrant is listed in Whois records with a potentially faux address of Al Dereiah, Riyadh, Sanaa, 11428, YE with a contact phone number of +966.505900772. We judge with moderate confidence that the threat actor or group is likely to have employed poor operational security (OPSEC) in disguising their country of origin of Yemen versus Saudi Arabia.</li></ul><p>Other suspect registrant information, we uncovered that targeted KSA-related entities to a lesser degree and non-Yemen based were:</p><ul><li>On March 17, 2019, an unknown registrant from Panama registered the MLSD-themed typosquatting domain mlsd[.]icu with Registrar GoDaddy. Within the same day, the malicious actor created two subdomains, moi[.]gov[.]sa[.]mlsd[.]icu and www[.]moi[.]gov[.]sa[.]mlsd[.]icu, which is a spoofed hostname targeting the Ministry of Interior’s Absher portal.</li><li>On March 13, 2019, an unknown registrant from Saudi Arabia registered a seemingly innocuous domain isdar[.]club with Registrar GoDaddy. Within two days, the malicious actor created a subdomain, visa[.]mofa[.]gov[.]sa[.]isdar[.]club, to target the Ministry of Foreign Affairs (MOFA)’s electronic visa service portal.</li><li>On February 16, 2019, a registrant named “Adam Booth” used an email (adam{at}omnia[.]ae) from a company named “Omnia”, a leading digital and branding agency in Dubai (UAE) and Abu Dhabi (UAE), to register the Absher-themed typosquatting domain absher[.]world with Registrar GoDaddy. This registrant is listed in Whois records with a physical address of G26, Building 9, Dubai Media City, Dubai, UAE 500475.</li><li>On December 13, 2018, a registrant using the name “Tlgnyx9621-30252” created the typosquatting domain mlsd[.]se with German Registrar 1API GmbH. Within three days of registration, the threat actor purchased a domain validated SSL/TLS certificate (SN: 193433912382113003336707843308288517108) from Comodo CA and created two fraudulent subdomains nitaqat[.]gov[.]mlsd[.]se and www[.]nitaqat[.]gov[.]mlsd[.]se to target the Ministry of Labor and Social Development (MLSD).</li><li>On March 30, 2018, a registrant and known <a href="https://www.wipo.int/amc/en/domains/search/fulltext_decisions.jsp?tab=1&amp;q=Yang+Xiao+Yuan&amp;rows=23" target="_blank">cybersquatter</a> named “Yang Xiaoyuan” alias “Yang Xiao Yuan” with no listed registrant email address registered the typosquatting domain (sa-ar[.]xyz) with Registrar Alibaba. This registrant is listed in Whois records with a physical address of Hai Yang Ming Zhu 4 Dong 2 Dan Yuan, Shao Yang Shi, Hu Nan, China 42200 and contact number of 86.17363984. According to historical Whois records, this domain was previously owned by Yemeni registrant named “Hgvhud Ali”, registered with Registrar GoDaddy, and expired on March 13, 2018 in which time “Yang Xiaoyuan” registered and parked the domain with Registrar Alibaba on March 30, 2018. During this period, we observed two separate subdomain spoofing attacks moi[.]gov[.]i[.]sa-ar[.]xyz and moi[.]gov[.]e[.]sa-ar[.]xyz in December 2017 targeting the MOI’s Absher portal.</li></ul><h3>IP Address Analysis</h3><p>The campaign used three primary IP addresses to host faux login pages mimicking KSA entities, all of which were assigned to GoDaddy (AS2649) address space.</p><ul><li>The main IP address used in the Bad Tidings campaign was 160[.]153[.]75[.]64. The first phishing site observed resolving to this address was on December 17, 2017 with the latest on March 6, 2019. A passive DNS search of this address uncovered 388 total hostnames dating back to September 3, 2012. Our analysis found that 76 phishing sites out 388 hostnames or 19.58% were used to target the Ministry of Interior (Absher), Saudi Government, Ministry of Foreign Affairs, Ministry of Labor and Social Development, and Saudi British Bank.</li><li>The second IP address observed was 23[.]229[.]166[.]161. The earliest phishing site was seen on August 16, 2017 and the most recent on March 18, 2019. A passive DNS search revealed 463 historical hostname resolutions dating back to May 26, 2014. We found 10 unique hostnames hosted on four different domains were used to target four KSA government agencies: the Ministry of Interior (Absher), Saudi Government, the Ministry of Foreign Affairs, and the Ministry of Labor and Social Development.</li><li>The third IP address observed is 160[.]153[.]246[.]182. The earliest phishing site was seen on August 2, 2018 and the most recent on March 18, 2019. A passive DNS search uncovered 13 historical hostname resolutions dating back to June 7, 2012. Of these 13 hostnames, there were eight hosted on six unique domains were used to target four KSA government agencies: the Ministry of Interior (Absher), Saudi Government, the Ministry of Foreign Affairs, and the Ministry of Labor and Social Development.</li></ul><p style="text-align: center;"><em><img alt="Historical domain resolutions for the IP address 160[.]153[.]75[.]64" src="https://cdn.filestackcontent.com/iXqcX7YLTB2tcZFo88W2"/><br/> Figure 2. Historical domain resolutions for the IP address 160[.]153[.]75[.]64</em></p><h3>SSL Certificate Analysis</h3><p>Our research found that 42 out of 95 or 44.21% of the phishing sites used one of 24 unique SSL/TLS certificate issued by a single vendor, Comodo CA (Sectigo). The attackers seem to prefer the purchase and installation of Domain Validated (DV) certificates. For example, the first observed DV SSL/TLS certificate (SN: <a href="https://censys.io/certificates/7ea759a5af6933af7233b354b2a104cbdbe2e9d6562240c8f2e1895e816f4565" target="_blank">64391503747305407148025706187116826556</a>) was installed on two phishing sites moi[.]gov[.]sa[.]xn--mgb[.]cc and www[.]moi[.]gov[.]sa[.]xn--mgb[.]cc and used to impersonate the MOI’s e-Service portal (Absher). We believe this is most likely due to the issuing of DV certificates through automated systems and the limited vetting requirements to obtain these certificates such as proving ownership with an email from the created domain or phone call from a number contained in the Whois record of the domain.</p><p style="text-align: center;"><em><img alt="First Bad Tidings Campaign SSL/TLS certificate observed" src="https://cdn.filestackcontent.com/jdL03tlMT0sdilVI8kUv"/><br/> Figure 3. First Bad Tidings Campaign SSL/TLS certificate observed (Source: Censys.io)</em></p><h2>A Peek Inside an Absher Phishing Site</h2><p>As previously mentioned, the Ministry of Interior’s e-Services portal known as Absher was the most targeted KSA government agency. Absher is an electric system that provides a total of 160 services such as checking mail, registering vehicles, booking government appointments, and applying for visas. The phishing websites mimic the MOI home page and Absher login portal in an attempt to steal the Saudi citizen’s email address and password. The schemes have been designed to trick Saudi citizens trying to access their online Absher account and, upon first look, appears to display the legitimate login portal. One of the most recent examples, on March 4, 2019, the threat actor or group employed the typosquatting and subdomain spoofing attack techniques to target the MOI with a phishing website <hxxp: www[.]moi[.]gov[.]sa[.]abshr[.]club="">. At the time of discovery, the website was hosted by a GoDaddy server resolving to IP address 160[.]153[.]75[.]64 (AS26496) and located in the United States. The site contained two cloned versions of legitimate MOI websites - the MOI homepage and MOI e-Services Portal (Absher) - used to target unsuspecting Saudi citizens (See Figure 4). The phishing site’s address is convincingly similar looking to the MOI website hosted at moi.gov.sa. Whether users attempt to register for an Absher account, reset their password, or login into their account, they are presented with the same pop-up window that requests their username (email address) and password (See Figure 5). To make the faux login page appear even more authentic, users have to complete a Captcha, which is a common challenge-response system designed to differentiate humans from robots or automated software tools that site owners use to prevent brute-force attacks. Once the user has entered their account credentials, they are redirected back to the fraudulent MOI homepage.</hxxp:></p><p style="text-align: center;"><em><img alt="Faux Ministry of Interior of the Kingdom of Saudi Arabia home page" src="https://cdn.filestackcontent.com/rJkP42UzQ8ipWjFRHi1A"/><br/> Figure 4. Faux Ministry of Interior of the Kingdom of Saudi Arabia home page</em></p><p style="text-align: center;"><em><img alt="Faux account login page for MOI e-Services Absher portal" src="https://cdn.filestackcontent.com/G1tGRb54R4RWhmq1OY6h"/><br/> Figure 5. Faux account login page for MOI e-Services Absher portal</em></p><h2>Protecting the Kingdom of Saudi Arabia Government Agencies from Domain Impersonations</h2><ul><li><strong>Trademark Registration</strong> - Protecting your brand and its reputation involves registering your trademark. As a trademark owner, you have the right to submit takedowns of fraudulent domains and websites on your own or through trusted vendors. This is usually done by filing a complaint with the offending organizations via Registrars and Hosting Providers. If this request is not honored, the trademark owner has an alternative takedown means using the Uniform Domain-Name Dispute Resolution-Policy (UDRP) by filing a Uniform Rapid Suspension (URS) complaint with the World Intellectual Property Organisation (WIPO) to takedown the offending domains. A friendly reminder though, organizations need to first register your trademarked brand with the Trademark Clearinghouse (TMCH), which is ICANN’s database of protected trademarks before submitting the URS complaint.</li><li><strong>Defensive Registration</strong> - If cost effective, proactively register name variants of your domains with particular emphasis for websites offering informational or account services for Saudi citizens and other individuals. Once purchased, we recommend ensuring each domain is configured to redirect to the legitimate website as this could help with users who unknowingly mistype the website address; thereby, driving traffic to the intended source.</li><li><strong>Domain Monitoring and Takedown Service</strong> - Consider investing in a commercial domain monitoring and takedown service that provides early detection, alerting, and removal of fraudulent domains and websites. The service should be capable of monitoring domains and subdomains as observed in the latest phishing campaign, the threat actor or group uses a variety of spoofing techniques to achieve their objectives.</li><li><strong>Multi-Factor Authentication (MFA)</strong> - Implement a multi-factor authentication (MFA) protocol for accessing online government services. Online account access using traditional methods such as email addresses and passwords can be susceptible to brute-force attacks or social engineering attacks. Supplementing account access by adding an extra authentication step like MFA can offer a stronger security measure to combat unauthorized entry to your user’s accounts. This can prevent malicious actors from simply guessing a user’s account credentials or setting up a faux login page and luring your users to disclose their credentials; thereby, taking over their account and accessing their privileged data.</li><li><strong>Public Service Announcements</strong> - Upon notification or becoming aware of a phishing or scam incident, issue a public statement to inform Saudi citizens about the situation, how to spot the fraudulent campaign, steps on how to protect themselves from being victimized, and measures to take if they have been or believe to have been duped in the fraudulent incident.</li></ul><h2>Defending against MOI e-Services Portal (Absher) Phishing Scams</h2><ul><li><strong>Stay Alert of the Latest Phishing Campaigns</strong> - Be wary of unsolicited emails or SMS (text) messages from untrusted users and refrain from opening any file attachments or clicking on any embedded hyperlinks especially when the sender requests for you to visit a suspicious-looking site requesting you to provide sensitive and confidential information such as email address, password, valid identification or residence permit (Iqama) number, and mobile number.</li><li><strong>Report Attacks to the Appropriate Authorities</strong> - If a Saudi Arabian citizen or other individual encounters a fraudulent or malicious website impersonating the MOI e-Services Portal (Absher) or other online government services, do not attempt to log into the website. Instead report it directly to your local security contact and the National Cyber Security Center (info@ncsc.gov.sa) and Saudi CERT (info@cert.gov.sa). We also recommend submitting the fraudulent site(s) to <a href="https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en" target="_blank">Google Safe Browsing</a> and <a href="https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site-guest" target="_blank">Microsoft Defender Security Intelligence</a> to help prevent other Internet-wide users from being duped.</li><li><strong>Website Address Bar Inspection</strong> - Always inspect the website address to ensure the legitimate website is properly displayed. Do not blindly trust that the padlock located at the top left of the address bar signifies that the website is legitimate as it only indicates the information moved from your computer to the requested site is encrypted.</li><li><strong>Password Management:</strong><ul><li><strong>Passphrases Versus Passwords</strong> - Use long passphrases instead of passwords. Passphrases are “memorized secrets” consisting of a sequence of words or other text used to authenticate your identity e.g. bestcolorintheworldisgreen (Weak passphrase) and b3$tc0l0RiNth3w0rLd1sgr33n (Strong passphrase). Remember when creating a passphrase to use a unique one per account and ensure it is more than 12 characters in length with a mixture of numbers, upper and lower case letters, and symbols.</li><li><strong>Password Manager</strong> - Consider investing in a password manager application from a reputable vendor to store and manage your passwords securely on your computer, mobile device, or in the cloud. As a reminder, make sure that your passphrase for your password manager also uses the same fundamentals mentioned above.</li><li><strong>Two-Factor/Multi-Factor Authentication</strong> - Where available, turn on the two-factor authentication or multi-factor authentication (MFA) at the online account’s security settings and follow the provided instructions. Enabling 2FA/MFA offers an added layer of security because if your email address and password have been previously compromised, a lost or stolen password alone would not be sufficient to gain access to your account and sensitive data.</li></ul></li></ul><h2>Conclusion</h2><p>Anomali and STC believe the Bad Tidings campaign’s heavy focus on the Kingdom of Saudi Arabia (KSA)’s government agencies electronic services is reflective of information gathering operations employed by a financially-motivated actor or group attempting to steal and monetize personally identifiable information (PII) and other sensitive data. Online government portals offering citizen services remain attractive targets as they store vast amounts of personal and sensitive information in a centralized location and if compromised, can provide malicious actors with enough data for resale on underground markets or to commit fraudulent actions such as identity theft. We expect this campaign or similar ones will continue to target KSA government e-services using phishing attacks via email or text messages to lure KSA citizens to faux login portals. Therefore, we urge all KSA citizens to remain vigilant of these phishing threats and report any suspicious activity to the appropriate authorities.</p><p>Anomali Labs and STC are actively monitoring phishing, malware, and other cyber threats to the Kingdom of Saudi Arabia to enhance the security of Kingdom and protect its citizens. We will continue to share intelligence with the community and affected organizations as they arise.</p><h2>References</h2><ul><li><a href="https://censys.io/certificates/7ea759a5af6933af7233b354b2a104cbdbe2e9d6562240c8f2e1895e816f4565" target="_blank">Censys.io</a></li><li><a href="https://docs.apwg.org/ecrimeresearch/2018/5359941.pdf" target="_blank">Large Scale Detection of IDN Domain Name Masquerading</a></li><li><a href="https://www.moi.gov.sa/wps/portal/Home/Home/!ut/p/z1/04_iUlDgAgP9CCATyEEmKOboR-UllmWmJ5Zk5ucl5uhH6EdGmcVbBro7e3iYGHm7GzqaGTh6mhv5G3iaGrp7Gul76UfhVxCcmqdfkB2oCABPX762/" target="_blank">Ministry of Interior (Kingdom of Saudi Arabia)</a></li><li><a href="https://www.mofa.gov.sa/sites/mofaen/Minister/Pages/Default.aspx" target="_blank">Ministry of Foreign Affairs (Kingdom of Saudi Arabia</a></li><li><a href="https://mlsd.gov.sa/en/node" target="_blank">Ministry of Labor and Social Development (Kingdom of Saudi Arabia)</a></li><li><a href="https://www.saudi.gov.sa/wps/portal/snp/main" target="_blank">Saudi National Portal</a></li><li><a href="https://www.sabb.com/" target="_blank">Saudi British Bank (SABB)</a></li><li>Twitter (<a href="https://twitter.com/sarahalosaimi93" target="_blank">@sarahalosaimi93</a>)</li><li>Twitter (<a href="https://twitter.com/0xAbdullah" target="_blank">@0xAbdullah</a>)</li><li>Twitter (<a href="https://twitter.com/SaudiDFIR/" target="_blank">@SaudiDFIR</a>)</li><li>Twitter (<a href="https://twitter.com/urlscan.io/" target="_blank">@urlscan.io</a>)</li><li><a href="https://urlscan.io/" target="_blank">URL Scan</a></li><li><a href="https://www.wipo.int/amc/en/domains/search/fulltext_decisions.jsp?tab=1&amp;q=Yang+Xiao+Yuan&amp;rows=23" target="_blank">WIPO</a></li></ul><h2>Appendix A - Indicators of Compromise</h2><h3>MOI e-Services Portal (Absher) Phishing Sites</h3><ul><li>absher[.]cc</li><li>absher[.]club</li><li>absher[.]es</li><li>absher[.]live</li><li>absher[.]work</li><li>absher[.]world</li><li>abshr[.]club</li><li>abshr[.]xyz</li><li>gov[.]moi[.]services</li><li>moi[.]gov[.]e[.]sa-ar[.]xyz</li><li>moi[.]gov[.]i[.]sa-ar[.]xyz</li><li>moi[.]gov[.]sa[.]absher[.]cc</li><li>moi[.]gov[.]sa[.]absher[.]club</li><li>moi[.]gov[.]sa[.]absher[.]es</li><li>moi[.]gov[.]sa[.]absher[.]work</li><li>moi[.]gov[.]sa[.]absher[.]world</li><li>moi[.]gov[.]sa[.]abshr[.]club</li><li>moi[.]gov[.]sa[.]abshr[.]xyz</li><li>moi[.]gov[.]sa[.]mlsd[.]icu</li><li>moi[.]gov[.]sa[.]xn--mgb[.]cc</li><li>moi[.]gov[.]xn--a-0ma[.]cc</li><li>moi[.]gov[.]xn--s-0fa[.]cc</li><li>moi[.]gov[.]xn--s-0fa[.]site</li><li>moi[.]gov[.]xn--s-oha[.]cc</li><li>moi[.]gov[.]xn--s-ufa[.]site</li><li>moi[.]gov[.]xn--s-ufa[.]ws</li><li>moi[.]gov[.]xn--s-ufa[.]xyz</li><li>moi[.]gov[.]xn--s-wha[.]cc</li><li>moi[.]services</li><li>visa[.]mofa[.]gov[.]sa[.]absher[.]club</li><li>visa[.]mofa[.]gov[.]sa[.]absher[.]work</li><li>www[.]absher[.]cc</li><li>www[.]absher[.]club</li><li>www[.]google[.]com[.]sa-ar[.]xyz</li><li>www[.]gov[.]moi[.]services</li><li>www[.]moi[.]gov[.]sa[.]absher[.]cc</li><li>www[.]moi[.]gov[.]sa[.]absher[.]club</li><li>www[.]moi[.]gov[.]sa[.]absher[.]es</li><li>www[.]moi[.]gov[.]sa[.]absher[.]space</li><li>www[.]moi[.]gov[.]sa[.]absher[.]work</li><li>www[.]moi[.]gov[.]sa[.]absher[.]world</li><li>www[.]moi[.]gov[.]sa[.]abshr[.]club</li><li>www[.]moi[.]gov[.]sa[.]mlsd[.]icu</li><li>www[.]moi[.]gov[.]sa[.]xn--mgb[.]cc</li><li>www[.]moi[.]gov[.]xn--s-0fa[.]cc</li><li>www[.]moi[.]gov[.]xn--s-0fa[.]site</li><li>www[.]moi[.]gov[.]xn--s-oha[.]cc</li><li>www[.]moi[.]gov[.]xn--s-ufa[.]site</li><li>www[.]moi[.]gov[.]xn--s-ufa[.]ws</li><li>www[.]moi[.]gov[.]xn--s-ufa[.]xyz</li><li>www[.]moi[.]gov[.]xn--s-wha[.]cc</li><li>xn------nzeaabbbafni4f0aeuf8b7a0b6q5aejenl1f[.]xyz</li><li>xn--mgb[.]cc</li><li>xn--s-ufa[.]xyz</li></ul><h3>Ministry of Foreign Affairs</h3><ul><li>engaz[.]club</li><li>enjazit[.]com[.]sa[.]xn--mgb[.]cc</li><li>enjazit[.]com[.]xn--a-0ma[.]cc</li><li>isdar[.]club</li><li>visa[.]mofa[.]gov[.]sa-r[.]xyz</li><li>visa[.]mofa[.]gov[.]sa[.]engaz[.]club</li><li>visa[.]mofa[.]gov[.]sa[.]isdar[.]club</li><li>visa[.]mofa[.]gov[.]sa[.]xn--mgb[.]cc</li><li>visa[.]mofa[.]gov[.]xn--a-0ma[.]cc</li><li>visa[.]mofa[.]gov[.]xn--s-0fa[.]cc</li><li>visa[.]mofa[.]gov[.]xn--s-ufa[.]xyz</li><li>visa[.]mofa[.]gov[.]xn--s-wha[.]cc</li><li>xn----ymcbgcb3bmeyo2w[.]cc</li><li>تاشيرة-صادرة[.]cc</li></ul><h3>Saudi Government</h3><ul><li>ar-saudi[.]xyz</li><li>google[.]com[.]ar-saudi[.]xyz</li><li>ksa[.]services</li><li>mail[.]ar-saudi[.]xyz</li><li>sa-ar[.]cc</li><li>sa-r[.]xyz</li><li>www[.]sa-r[.]xyz</li><li>www[.]xn--s-0fa[.]cc</li><li>www[.]xn--s-ufa[.]site</li><li>xn--a-0ma[.]cc</li><li>xn--a-hrm[.]cc</li><li>xn--s-0fa[.]cc</li><li>xn--s-0fa[.]site</li><li>xn--s-oha[.]cc</li><li>xn--s-ufa[.]cc</li><li>xn--s-ufa[.]site</li><li>xn--s-ufa[.]ws</li><li>xn--s-wha[.]cc</li></ul><h3>Ministry of Labor and Social Development (Nitaqat)</h3><ul><li>mlsd[.]icu</li><li>mlsd[.]se</li><li>mlsd[.]services</li><li>mlsd[.]space</li><li>mlsd[.]world</li><li>nitaqat[.]gov[.]mlsd[.]se</li><li>nitaqat[.]mlsd[.]gov[.]sa[.]ar-saudi[.]xyz</li></ul><h3>Saudi British Bank (SABB)</h3><ul><li>sabbank[.]net</li><li>www[.]sabbank[.]net</li></ul><h3>IP Addresses Used During Bad Tidings Campaign</h3><ul><li>160[.]153[.]75[.]64</li><li>23[.]229[.]166[.]161</li><li>160[.]153[.]246[.]182</li></ul><h3>Comodo-Issued Domain Validated SSL/TLS Certificate Serial Numbers</h3><ul><li>101651707031295696063406090484723055411</li><li>129337072481748074259799145004714484800</li><li>137617469856611968291971580720831358824</li><li>137958954953471778626212363418518521661</li><li>158622365713600039573945602299858283084</li><li>164574387083593890825952884794268708692</li><li>191054575424653670742100807287478350752</li><li>193433912382113003336707843308288517108</li><li>194341214129485383372727140968497390612</li><li>20016228831370130312035808560888666810</li><li>253737954147024172130645939713944578570</li><li>263898092078673910965692907395596855676</li><li>264628470450134545668285623553076937067</li><li>277654847727881123011408831070880089390</li><li>301214021634038961725808682623103461105</li><li>312201004218244149187862279929583277856</li><li>325490981321480563355394744290515621012</li><li>334298258531620598378658589771589735552</li><li>51202017460853628161070265980351005414</li><li>55780119944939935591175213356763762785</li><li>64391503747305407148025706187116826556</li><li>68326723905074688544937580051376777836</li><li>80909603451095679744182281914765527821</li><li>83921434076006319874221439738404268900</li></ul><h2>Appendix B - Summary of Tweets Related to the Bad Tidings Campaign</h2><h4>Saudi Incident Responders (<a href="https://twitter.com/SaudiDFIR/" target="_blank">@SaudiDFIR</a>)</h4><p>From January 9, 2019 to March 18, 2019, the Twitter user Saudi Incident Responders (<a href="https://twitter.com/SaudiDFIR/" target="_blank">@SaudiDFIR</a>) tweeted 12 times about phishing threats to three Kingdom of Saudi Arabia government agencies and the Saudi British Bank (SABB).</p><ul><li>On <a href="https://twitter.com/SaudiDFIR/status/1107664027453452290" target="_blank">March 18, 2019</a>, the MOFA was targeted in a punycode-based attack xn----ymcbgcb3bmeyo2w[.]cc (IDN: تاشيرة-صادرة[.]cc). On the <a href="https://twitter.com/SaudiDFIR/status/1107653197458538498" target="_blank">same day</a>, the MOI's Absher portal and MOFA were impersonated in a typosquatting attack engaz[.]club and subdomain spoofing attack visa[.]mofa[.]gov[.]sa[.]engaz[.]club.</li><li>On <a href="https://twitter.com/SaudiDFIR/status/1107338560376586240" target="_blank">March 17, 2019</a>, the MOI’s Absher portal was targeted in a subdomain spoofing attack moi[.]gov[.]sa[.]mlsd[.]icu.</li><li style="word-wrap: break-word">On <a href="https://twitter.com/SaudiDFIR/status/1087777857072447488" target="_blank">March 5, 2019</a>, the MOI’s Absher portal was targeted in a subdomain spoofing attack where visitors to website <hxxp: xn------nzeaabbbafni4f0aeuf8b7a0b6q5aejenl1f[.]xyz=""> were redirected to phishing site <hxxp: ?bnmoi&contents&pswid="Z7_0I44H142KO3AE0A6FL9R901IE2&amp;urile=wcm%3apath%3a%2FMOI%2BDiwan%2FMOI%2BHome%2BContent%2BAR%2FHome%2FNews%2F" www[.]moi[.]gov[.]sa[.]absher[.]space=""></hxxp:></hxxp:></li><li>On <a href="https://twitter.com/SaudiDFIR/status/1100648759967576064" target="_blank">February 27, 2019</a>, the MOI’s Absher portal was targeted in a subdomain spoofing attack moi[.]gov[.]sa[.]absher[.]world.</li><li>On <a href="https://twitter.com/SaudiDFIR/status/1098850853853777922" target="_blank">February 22, 2019</a>, the Saudi British Bank (SABB) was targeted in a typosquatting attack sabbank[.]net.</li><li>On <a href="https://twitter.com/SaudiDFIR/status/1094701572855132160" target="_blank">February 10, 2019</a>, the MOFA website was targeted in a combination phishing attack where typosquatting domain ksa[.]service redirected visitors to subdomain spoofing hostname visa[.]mofa[.]gov[.]sa[.]absher[.]club</li><li>On <a href="https://twitter.com/SaudiDFIR/status/1088033593925009408" target="_blank">January 23, 2019</a>, the MOI’s Absher portal was impersonated in a subdomain spoofing and typosquatting combination attack <hxxp: moi[.]gov[.]sa[.]absher[.]es=""> whereby the threat actor abused the Spain country code top-level domain (ccTLD) “.es”.</hxxp:></li><li>On <a href="https://twitter.com/SaudiDFIR/status/1087777857072447488" target="_blank">January 22, 2019</a>, the Ministry of Interior’s Absher portal was targeting with a punycode-based attack (Punycode: www[.]moi[.]gov[.]xn--s-ufa[.]xyz | IDN: www[.]moi[.]gov[.]sá[.]xyz). Unlike previous attacks, this one contained a commercial domain validated SSL/TLS certificate (SN: 164574387083593890825952884794268708692) issued by Comodo and installed on the malicious server.</li><li>On <a href="https://twitter.com/SaudiDFIR/status/1083370964698783744" target="_blank">January 10, 2019</a>, the Ministry of Labor and Social Development was targeted using a typosquatting domain nitaquat[.]gov[.]mlsd[.]se. In a <a href="https://twitter.com/SaudiDFIR/status/1083370964698783744" target="_blank">subsequent tweet</a> on the same day, the Ministry of Interior was targeted in a Punycode-based attack (Punycode: moi[.]gov[.]xn--s-0fap[.]cc | IDN: moi[.]gov[.]sä[.]cc), which was created on September 16, 2018.</li><li>On <a href="https://twitter.com/SaudiDFIR/status/1083088604996472847" target="_blank">January 9, 2019</a>, SaudiDFIR retweeted from URLScan.io (<a href="https://urlscan.io/result/50133080-dc3a-42a5-86ce-d6b2f8d5d666" target="_blank">@urlscan.io</a>) the Ministry of Interior was targeted in a punycode-based attack (Punycode: www[.]moi[.]gov[.]xn--s-ufa[.]site | IDN: www[.]moi[.]gov[.]sá[.]site)</li></ul><h4>Sarah Alosaimi (<a href="https://twitter.com/sarahalosaimi93/" target="_blank">@sarahalsaimi93</a>)</h4><ul><li>On <a href="https://twitter.com/sarahalosaimi93/statuses/1085171537227993098" target="_blank">January 15, 2019</a>, Twitter user named Sarah Alosaimi (@sarahalsaimi93) tweeted a photo of a IDN spoofing site moi[.]gov[.]są[.]cc (Punycode: moi[.]gov[.]xn--s-wha[.]cc) impersonating the Ministry of Interior.</li></ul><h4>Abdullah AlZahrani (<a href="https://twitter.com/0xAbdullah/" target="_blank">@0xAbdullah</a>)</h4><ul><li>On <a href="https://twitter.com/0xAbdullah/statuses/1084124522360512512" target="_blank">January 12, 2019</a>, Twitter user Abdullah AlZahrani (@0xAbdullah) tweeted six phishing sites to include screenshots of the faux landing pages targeting three KSA government agencies using punycode spoofing, subdomain spoofing, and typosquatting. The phishing sites were as follows:</li></ul><table class="table table-bordered table-striped" style="table-layout:fixed"><thead><tr><th>Fraudulent Domain</th><th scope="col">IDN</th><th scope="col">Spoofing Technique Used</th><th>Spoofed KSA Government Agency</th></tr></thead><tbody><tr><td style="word-wrap: break-word">visa[.]mofa[.]gov.są[.]cc (Punycode)</td><td style="word-wrap: break-word">visa[.]mofa[.]gov[.]xn--s-wha[.]cc</td><td style="word-wrap: break-word">Punycode Spoofing</td><td style="word-wrap: break-word">Ministry of Foreign Affairs</td></tr><tr><td style="word-wrap: break-word">moi[.]gov[.]są[.]cc (Punycode)</td><td style="word-wrap: break-word">moi[.]gov[.]xn--s-wha[.]cc</td><td style="word-wrap: break-word">Punycode Spoofing</td><td style="word-wrap: break-word">Ministry of Interior Affairs</td></tr><tr><td style="word-wrap: break-word">moi[.]gov[.]sá[.]site (Punycode)</td><td style="word-wrap: break-word">moi[.]gov[.]xn--s-ufa[.]site</td><td style="word-wrap: break-word">Punycode Spoofing</td><td style="word-wrap: break-word">Ministry of Interior Affairs</td></tr><tr><td style="word-wrap: break-word">moi[.]gov[.]sä[.]cc (Punycode)</td><td style="word-wrap: break-word">moi[.]gov[.]xn--s-0fa[.]cc</td><td style="word-wrap: break-word">Punycode Spoofing</td><td style="word-wrap: break-word">Ministry of Interior Affairs</td></tr><tr><td style="word-wrap: break-word">nitaqat[.]gov[.]mlsd[.]se</td><td style="word-wrap: break-word">N/A</td><td style="word-wrap: break-word">SubDomain Spoofing</td><td style="word-wrap: break-word">Ministry of Labor and Social Development</td></tr><tr><td style="word-wrap: break-word">ksa[.]services</td><td style="word-wrap: break-word">N/A</td><td style="word-wrap: break-word">Typosquatting</td><td style="word-wrap: break-word">Saudi eGovernment Portal</td></tr></tbody></table><h4>URLScan.io (<a href="https://twitter.com/urlscanio/" target="_blank">@urlscan.io</a>)</h4><ul><li>On <a href="https://twitter.com/urlscanio/status/1083084339791958021" target="_blank">January 9, 2019</a>, the Twitter user URLScan.io (@urlscan.io) found a punycode website moi[.]gov[.]xn--s-wha[.]cc (IDN: moi[.]gov[.]są[.]cc) hosting a spoofed page of the Ministry of Interior (MOI). Interestingly, the IDN domain was created on November 21, 2018 but it wasn’t until January 9, 2019 that the threat actor purchased and installed a Comodo-issued domain validation SSL/TLS certificate (SN: 137958954953471778626212363418518521661) onto the malicious server.</li></ul>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.