In recent years, threat actors have increasingly targeted free email services to compromise government and educational entities.
One such group, known as GreenSpot, has been particularly active in this domain. GreenSpot, believed to operate from Taiwan, has been involved in data theft operations since at least 2007.
They primarily target government, academic, and military-related entities in China through sophisticated phishing campaigns.
GreenSpot’s tactics involve creating deceptive domains that mimic legitimate email services. For instance, they have been using domains like mail[.]II63[.]net and mail[.]eco163[.]com to impersonate the popular Chinese email service, 163.com.
.webp)
Security analysts at Hunt.io noted that all these domains are designed to capture usernames and passwords by hosting fake login pages that closely resemble the legitimate ones.
.webp)
Infrastructure Analysis
The domains used by GreenSpot are often registered through resellers like SugarHosts to minimize direct interaction with major registrars, thereby reducing the risk of being traced back to the group.
These domains resolve to IP addresses such as 139.162.62[.]21, which is hosted on the Akamai Connected Cloud network in Singapore.
IP Address: 139.162.62[.]21
Domains:
- mail[.]II63[.]net
- mail[.]eco163[.]comUpon querying this IP, it was found that ports 22 and 80 are open. Notably, port 80 responds with a non-standard HTTP status code of 588, which is not recognized by IANA but is used by Alibaba Cloud for “Exceeded_Quota” errors. This suggests a custom or proprietary configuration.
In addition to phishing, GreenSpot also operates fake download services. These services are designed to appear as legitimate large attachment download pages for email services like Netease Mail.
.webp)
The titles of these pages often include phrases like “网易邮箱超大附件下载” (Download Large Attachments for Netease Mailbox). These pages host benign files with names such as “Guide to Maritime Administrative Services and Application Documents.7z.”
IP Address: 45.76.180[.1253]
Domain: I2024163[.]com
Notes: Malicious download page hosting "Guide to Maritime Administrative Services and Application Documents.7z"While GreenSpot’s campaigns are currently focused on specific regions, their tactics have broader implications.
The use of deceptive domains, manipulated TLS certificates, and counterfeit interfaces demonstrates a sophisticated threat actor capable of compromising online platforms.
Free email services, designed for ease of access, often rely on users to activate enhanced security features like multi-factor authentication.
.webp)
Without these protections, users remain vulnerable to credential theft, potentially exposing sensitive communications and personal data.
Organizations and individuals are advised to enable multi-factor authentication, enhance network monitoring, and ensure threat intelligence feeds are current. These proactive measures are crucial for mitigating risks from adversaries like GreenSpot.
To enhance security, it is recommended to enable multi-factor authentication (MFA) to add an extra layer of protection against unauthorized access, even if credentials are compromised.
Moreover, regularly monitoring network traffic for suspicious activity and updating threat intelligence feeds to stay informed about the latest threats and indicators of compromise are essential measures for proactively defending against evolving attacks.
Indicators of Compromise (IOCs)
| IP Address | Domains | Notes |
|---|---|---|
| 139.162.62[.]21 | mail[.]II63[.]net, mail[.]eco163[.]com | Hosted on Akamai Connected Cloud network in Singapore |
| 45.76.180[.1253] | I2024163[.]com | Malicious download page hosting “Guide to Maritime Administrative Services and Application Documents.7z” |
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
