| Researchers October 24, 2019

October 24, 2019

Phishing attack targeting United Nations and humanitarian organizations discovered by Lookout Phishing AI

By Jeremy Richards

Lookout Phishing AI has detected a mobile-aware phishing campaign targeting non-governmental organizations around the world, including a variety of United Nations humanitarian organizations, such as UNICEF. Lookout has contacted law enforcement and the targeted organizations, but as of the publication of this blog the attack is still ongoing. 

A sample of one of the live phishing sites discovered by Lookout researchers as displayed on a mobile device

Background on the phishing campaign

The infrastructure connected to this attack has been live since March 2019. Two domains have been hosting phishing content, session-services[.]com and service-ssl-check[.]com, which resolved to two IPs over the course of this campaign: and The associated IP network block and ASN (Autonomous System Number) is understood by Lookout to be of low reputation and is known to have hosted malware in the past.

Mobile-Aware functionality and key logging

Lookout has identified several noteworthy techniques employed in this campaign, including its ability to detect mobile devices and to log keystrokes directly as they are entered in the password field.

Specifically, Javascript code logic on the phishing pages detects if the page is being loaded on a mobile device and delivers mobile-specific content in that case. Mobile web browsers also unintentionally help obfuscate phishing URLs by truncating them, making it harder for the victims to discover the deception.

Lookout has also collected evidence of key logging functionality embedded in the password field of the phishing login pages, such that, if a target doesn’t complete the login activity by pressing the login button or if they enter another, unintended password, this information is still sent back to the command and control infrastructure operated by the malicious actor.

SSL certificates and humanitarian aid domains

All major browsers will alert users about the use of expired SSL certificates. As these warnings are very clear (and in fact often hard to dismiss) it would be near impossible to entice a user to enter their login credentials on a site that uses an expired certificate. As a result, expired SSL certificates observed on some of the phishing sites can provide insight into the time period of the attack.

SSL certificates used by the phishing infrastructure had two main ranges of validity: May 5, 2019 to August 3, 2019, and June 5, 2019 to September 3, 2019. Currently six certificates are still valid, and Lookout suspects that these attacks may still be ongoing. A table at the end of this blog shows the targeted organizations, the URLs targeting them as well as whether the current SSL certificate on the site is valid as of writing this report.

A sample of one of the live phishing sites discovered by Lookout researchers. Top: The legitimate login page targeted by this phishing attack. Bottom: The phishing site mimicking the legitimate Office365 login page for employees of the International Federation of Red Cross and Red Crescent Societies.

Lookout Phishing and Content Protection

The mobile-aware component found in this campaign is further proof that phishing attacks have evolved to target mobile devices. Mobile phishing has emerged as a source of increasing risk for enterprises, as the post-perimeter world and widespread adoption of bring your own device (BYOD) policies blurs the lines between personal devices and corporate networks, not to mention the expanded multi-channel threat surface presented by such devices and mobility as a whole.

Lookout Phishing & Content Protection goes beyond traditional phishing channels and detects phishing attacks from all types of sources, including personal and corporate email, social media, SMS and other messaging and apps. Lookout also detects access to malicious sites, including malware and spyware distribution, command and control servers, and botnets — from URLs delivered by any app or channel on a user’s device.

Hear why  phishing attacks are only getting more sophisticated.

Target Organization
Live SSL Certificate
UN World Food Programme
Valid until November 23
United Nations Development Programme
Valid until November 18
United Nations
Valid until November 15
Valid until November 16
Heritage Foundation
Valid until November 18
International Federation of the Red Cross and Red Crescent Societies
Valid until November 16
United States Institute of Peace
Expired August 3
Concern Worldwide
Expired September 8
Humanity and Inclusion (French)
Expired September 7
Social Science Research Council Sign-On Portal
Expired September 3
UC San Diego
Expired August 3
East-West Center
Expired September 3
Unknown/ Inaccessible
Expired August 3
Unknown/ Inaccessible
Expired September 3
Unknown/ Inaccessible
Expired September 3
Unknown/ Inaccessible
Expired September 3
Yahoo (German)
Expired August 3
AOL (German)
Expired August 3

Find out how you can secure your smartphones and tablets today

Request A Demo call_made

Free Trial call_made

Contact Sales call_made


Jeremy Richards,
Principal Security Researcher