February 19, 2019
-
Anomali Threat Research
,

Phishing Campaign Spoofs United Nations and Multiple Other Organizations

<p>Anomali Labs researchers recently discovered a phishing site masquerading as a login page for the United Nations (UN) Unite Unity, a single sign-on (SSO) application used by UN staff. When visitors attempt to login into the fraudulent page, their browser is redirected to an invitation for a film viewing at the Poland Embassy in Pyongyang dated September 2018. Further analysis of the threat actor’s infrastructure uncovered a broader phishing campaign targeting several email providers, financial institutions, and a payment card provider. We expect to see malicious actors continue to target the United Nations staff as well as the listed brands and their users with faux login pages designed to pilfer their user credentials for resale on criminal forums and marketplaces and in the case of financial accounts to steal payment card information.</p><p>Prior to the release of this blog post, we have submitted the phishing sites to <a href="https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en" target="_blank">Google Safebrowsing</a> and <a href="https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site-guest" target="_blank">Microsoft</a> for blacklist consideration.</p><h2>Initial Discovery</h2><p>On February 17th, 2019, Anomali Labs researchers discovered a host cloud[.]unite[.]un[.]org[.]docs-verify[.]com bearing a strong resemblance to the legitimate domain name unite.un[.]org used by the United Nations. When navigating to the suspicious subdomain, users are displayed with a phishing site mimicking a United Nations’ Unite Identity login page. According to the <a href="https://uniteID.un.org" target="_blank">UN Unite website</a>, Unite Identity is a single sign-on (SSO) application that allows UN staff to log into various systems such as webmail and internal databases using a single-user ID and password. The phishing site requests users enter their email address ending in @un[.]org and Unite Identity password. The phishing page, a cloned version of the legitimate site, warns users of fake UN websites designed to steal usernames and passwords as well as provides a copy of the website address for the legitimate Unite Identity login page. Therefore, we judge with high confidence that this phishing page is designed to trick United Nations’ staffers into disclosing their user credentials.</p><p style="text-align: center;"><em><img alt="Phishing page mimicking the United Nations’ Unite Identity login site" src="https://cdn.filestackcontent.com/gu0zJUfcTG6xxOlJFA0j"/><br/> Figure 1. Phishing page mimicking the United Nations’ Unite Identity login site</em></p><p>Once users input their credentials and select the blue “Sign in” button, they are redirected to a page for a PDF file named"Invitation.pdf" (MD5: 3a90141002ad87068777d7cc81aa5812), which based on the file’s metadata was created on September 04, 2018. According to the file’s content, it is a community-wide invitation for a Polish film titled “Loving Vincent” at the Embassy of the Republic of Poland in Pyongyang (North Korea) on September 6, 2018 at 6:30 local time. When processed through <a href="https://www.virustotal.com/#/file/28ec93f75dbc08e1227d6aab4cc9e218efeff0af78e030b60caf7b83ee1de659/detection" target="_blank">VirusTotal</a> and <a href="https://www.hybrid-analysis.com/sample/28ec93f75dbc08e1227d6aab4cc9e218efeff0af78e030b60caf7b83ee1de659?environmentId=100" target="_blank">Hybrid Analysis</a>, there were no immediate signs of a malware infected file; therefore, it is unclear as to the purpose behind it.</p><p style="text-align: center;"><em><img alt="Screenshot of invitation for film viewing at the Poland Embassy in Pyongyang" src="https://cdn.filestackcontent.com/P43FD1dvQXOhn0sLnIcm"/><br/> Figure 2. Screenshot of invitation for film viewing at the Poland Embassy in Pyongyang</em></p><h2>SSL Certificate Analysis</h2><p>The server hosting the UN-themed phishing site had a self-signed SSL/TLS certificate (SN: 276742105605466998454240396830933951554982) installed that was issued by Let’s Encrypt, a free certificate provider. The certificate is valid for 90-days starting on January 29, 2019 and expiring on April 29, 2019. The certificate’s Subject Alternative Name (SAN) revealed a total of 12 suspicious subdomain names of the parent domain docs-verify[.]com targeting four email providers Yahoo, AOL, NetEase, and 163.com. At the time of this writing, 6 out of the 12 subdomains hosted replica pages mimicking login sites for the United Nations, Yahoo, AOL, and 163.com.</p><p style="text-align: center;"><em><img alt="SSL Certificate Subject Alternative Name for fraudulent sites targeting the UN, Yahoo, AOL, 163.com, NetEase" src="https://cdn.filestackcontent.com/AnM7nzs0R5mJT5bOqjgw" style="width: 500px;"/><br/> Figure 3. SSL Certificate Subject Alternative Name for fraudulent sites targeting the UN, Yahoo, AOL, 163.com, NetEase</em></p><p style="text-align: center;"><em><img alt="Faux login pages for Yahoo, AOL, and 163.com" src="https://cdn.filestackcontent.com/0xDtVEpORsuyPibVI0G4"/><br/> Figure 4. Faux login pages for Yahoo, AOL, and 163.com</em></p><h2>Domain and IP Address Analysis</h2><p>A Whois record lookup of the parent domain docs-verify[.]com identified it was registered with Malaysian Registrar and Hosting Provider Shinjiru Technology Sdn Bhd on August 1, 2018 by a registrant named “Leslie T. Alexander” of Bedford, Maine, who uses the email address leslietalexander{at}protonmail[.]com. The parent domain and the 12 associated subdomains resolved to a Malaysia-based IP address 111.90.142[.]52 (AS45839 - Shinjiru Technology Sdn Bhd), which is the host for 33 total domains. A review of these 32 additional domains uncovered multiple suspect sites which include phishing sites targeting Visa Vanilla Gift Cards, Caixa Bank of London, and First Texas Bank.</p><p style="text-align: center;"><em><img alt="Suspected phishing sites targeting Visa Vanilla Gift Cards, Caixa Bank of London, and First Texas Bank" src="https://cdn.filestackcontent.com/miNqwhCGSWG0tSnjnO9C"/><br/> Figure 5. Suspected phishing sites targeting Visa Vanilla Gift Cards, Caixa Bank of London, and First Texas Bank</em></p><h2>Preventing Yourself from Falling Victim to Phishing Attacks</h2><ul><li>Be wary of unsolicited emails from untrusted users and refrain from opening any file attachments or clicking on any embedding hyperlinks especially when the sender requests for you to visit a suspicious-looking site requesting your account credentials.</li><li>Ensure to update your operating system and applications with the latest patches as soon as they become available</li><li>Use an antivirus and firewall solution and make sure they are always up-to-date with the latest patches and antivirus signatures</li><li>If you encounter a suspicious email or website, report it to your organization's security contact and authorities within your area.</li><li>Always inspect the website address to ensure the legitimate website is properly displayed. Do not blindly trust that the padlock located at the top left of the address bar signifies that the website is legitimate as it only indicates the information moved from your computer to the requested site is encrypted.</li><li>United Nations staff members looking to sign in to the Unite Identity website, ensure that you visit the <a href="https://sso.unite.un.org/adfs/ls/ldpInitiatedSignon.aspx" target="_blank">legitimate address</a> before attempting to remotely access your account.</li><li>The listed organization’s security personnel should verify the phishing sites and request a domain and/or website takedown to prevent your users and clients from falling prey to this latest phishing scheme.</li></ul><h2>References</h2><ul><li><a href="https://uniteID.un.org" target="_blank">Unite Identity</a></li><li><a href="https://www.virustotal.com/#/file/28ec93f75dbc08e1227d6aab4cc9e218efeff0af78e030b60caf7b83ee1de659/detection" target="_blank">VirusTotal</a></li><li><a href="https://www.virustotal.com/#/url/90e22abbf6c4cc29edab36fc758328951309175cd4104007ae27e917455f7ce7/detection" target="_blank">VirusTotal</a></li><li><a href="https://www.hybrid-analysis.com/sample/cdafe90de56fa5612b8b20dc9ce9dc14c961dadae52bbb3fd37a21379e5b78fe/5c6a1ba47ca3e16e94509998" target="_blank">Hybrid Analysis</a></li><li><a href="https://www.hybrid-analysis.com/sample/28ec93f75dbc08e1227d6aab4cc9e218efeff0af78e030b60caf7b83ee1de659?environmentId=100" target="_blank">Hybrid Analysis</a></li><li><a href="https://urlscan.io/result/a6e9077f-31b6-4de3-8f34-0c1b6305fecb" target="_blank">URLScan</a></li></ul><h3>Appendix A - Indicators of Compromise</h3><table class="table table-bordered table-striped" style="table-layout:fixed"><tbody><tr><th>Indicator of Compromise</th><th>Description</th></tr><tr><td style="word-wrap: break-word">docs-verify[.]com</td><td style="word-wrap: break-word">Malicious site used to host multiple phishing pages</td></tr><tr><td style="word-wrap: break-word">111.90.142[.]52</td><td style="word-wrap: break-word">Malicious server hosting multiple suspicious and phishing sites</td></tr><tr><td style="word-wrap: break-word">leslietalexander{at}protonmail[.]com</td><td style="word-wrap: break-word">Email address associated with registrant named Leslie Alexander who registered the domain doc-verify[.]com</td></tr><tr><td style="word-wrap: break-word">cloud[.]unite[.]un[.]org[.]docs-verify[.]com</td><td style="word-wrap: break-word">United Nations-themed phishing site</td></tr><tr><td style="word-wrap: break-word">www[.]cloud[.]unite[.]un[.]org[.]docs-verify[.]com</td><td style="word-wrap: break-word">United Nations-themed phishing site</td></tr><tr><td style="word-wrap: break-word">276742105605466998454240396830933951554982</td><td style="word-wrap: break-word">Serial number for Let’s Encrypt SSL/TLS Certificate installed on the malicious server used to target the United Nations, AOL, Yahoo, NetEase, and 163.com</td></tr><tr><td style="word-wrap: break-word">163-services[.]docs-verify[.]com</td><td style="word-wrap: break-word">163.com-themed phishing site</td></tr><tr><td style="word-wrap: break-word">163[.]docs-verify[.]com</td><td style="word-wrap: break-word">163.com-themed phishing site</td></tr><tr><td style="word-wrap: break-word">cloud[.]aol[.]com[.]documents[.]unite[.]docs-verify[.]com</td><td style="word-wrap: break-word">AOL-themed phishing site</td></tr><tr><td style="word-wrap: break-word">cloud[.]yahoo[.]com[.]documents[.]unite[.]docs-verify[.]com</td><td style="word-wrap: break-word">Yahoo-themed phishing site</td></tr><tr><td style="word-wrap: break-word">download-netease[.]docs-verify[.]com</td><td style="word-wrap: break-word">NetEase-themed phishing site</td></tr><tr><td style="word-wrap: break-word">www[.]163-services[.]docs-verify[.]com</td><td style="word-wrap: break-word">163.com-themed phishing site</td></tr><tr><td style="word-wrap: break-word">www[.]163[.]docs-verify[.]com</td><td style="word-wrap: break-word">163.com-themed phishing site</td></tr><tr><td style="word-wrap: break-word">www[.]cloud[.]aol[.]com[.]documents[.]unite[.]docs-verify[.]com</td><td style="word-wrap: break-word">AOL-themed phishing site</td></tr><tr><td style="word-wrap: break-word">www[.]cloud[.]yahoo[.]com[.]documents[.]unite[.]docs-verify[.]com</td><td style="word-wrap: break-word">Yahoo-themed phishing site</td></tr><tr><td style="word-wrap: break-word">www[.]download-netease[.]docs-verify[.]com</td><td style="word-wrap: break-word">NetEase-themed phishing site</td></tr><tr><td style="word-wrap: break-word">hxxp://onevanillabalance[.]xyz</td><td style="word-wrap: break-word">Suspected phishing site mimicking Visa Vanilla Gift Card</td></tr><tr><td style="word-wrap: break-word">hxxp://onevanillagift[.]net</td><td style="word-wrap: break-word">Suspected phishing site mimicking Visa Vanilla Gift Card</td></tr><tr><td style="word-wrap: break-word">hxxp://onevanillainsight[.]xyz</td><td style="word-wrap: break-word">Suspected phishing site mimicking Visa Vanilla Gift Card</td></tr><tr><td style="word-wrap: break-word">hxxp://checkonevanillabalanceonline[.]com</td><td style="word-wrap: break-word">Suspected phishing site mimicking Visa Vanilla Gift Card</td></tr><tr><td style="word-wrap: break-word">hxxp://caixyonline[.]net</td><td style="word-wrap: break-word">Suspected phishing site mimicking Caixa Bank of London</td></tr><tr><td style="word-wrap: break-word">hxxp://firsttexaen[.]com</td><td style="word-wrap: break-word">Suspected phishing site mimicking First Texas Bank</td></tr></tbody></table><h3>Appendix B - Whois Record for docs-verify[.]com</h3><p style="text-align: center;"><img alt="Whois Record for docs-verify[.]com" src="https://cdn.filestackcontent.com/e9YeYwEgQ4GFjvWeIfhM" style="width: 600px;"/></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.
__wf_reserved_heredar