| Researchers October 24, 2019


October 24, 2019

Phishing attack targeting United Nations and humanitarian organizations discovered by Lookout Phishing AI

By Jeremy Richards

Lookout Phishing AI has detected a mobile-aware phishing campaign targeting non-governmental organizations around the world, including a variety of United Nations humanitarian organizations, such as UNICEF. Lookout has contacted law enforcement and the targeted organizations, but as of the publication of this blog the attack is still ongoing. 

A sample of one of the live phishing sites discovered by Lookout researchers as displayed on a mobile device

Background on the phishing campaign

The infrastructure connected to this attack has been live since March 2019. Two domains have been hosting phishing content, session-services[.]com and service-ssl-check[.]com, which resolved to two IPs over the course of this campaign: 111.90.142.105 and 111.90.142.91. The associated IP network block and ASN (Autonomous System Number) is understood by Lookout to be of low reputation and is known to have hosted malware in the past.

Mobile-Aware functionality and key logging

Lookout has identified several noteworthy techniques employed in this campaign, including its ability to detect mobile devices and to log keystrokes directly as they are entered in the password field.

Specifically, Javascript code logic on the phishing pages detects if the page is being loaded on a mobile device and delivers mobile-specific content in that case. Mobile web browsers also unintentionally help obfuscate phishing URLs by truncating them, making it harder for the victims to discover the deception.

Lookout has also collected evidence of key logging functionality embedded in the password field of the phishing login pages, such that, if a target doesn’t complete the login activity by pressing the login button or if they enter another, unintended password, this information is still sent back to the command and control infrastructure operated by the malicious actor.

SSL certificates and humanitarian aid domains

All major browsers will alert users about the use of expired SSL certificates. As these warnings are very clear (and in fact often hard to dismiss) it would be near impossible to entice a user to enter their login credentials on a site that uses an expired certificate. As a result, expired SSL certificates observed on some of the phishing sites can provide insight into the time period of the attack.

SSL certificates used by the phishing infrastructure had two main ranges of validity: May 5, 2019 to August 3, 2019, and June 5, 2019 to September 3, 2019. Currently six certificates are still valid, and Lookout suspects that these attacks may still be ongoing. A table at the end of this blog shows the targeted organizations, the URLs targeting them as well as whether the current SSL certificate on the site is valid as of writing this report.

A sample of one of the live phishing sites discovered by Lookout researchers. Top: The legitimate login page targeted by this phishing attack. Bottom: The phishing site mimicking the legitimate Office365 login page for employees of the International Federation of Red Cross and Red Crescent Societies.

Lookout Phishing and Content Protection

The mobile-aware component found in this campaign is further proof that phishing attacks have evolved to target mobile devices. Mobile phishing has emerged as a source of increasing risk for enterprises, as the post-perimeter world and widespread adoption of bring your own device (BYOD) policies blurs the lines between personal devices and corporate networks, not to mention the expanded multi-channel threat surface presented by such devices and mobility as a whole.

Lookout Phishing & Content Protection goes beyond traditional phishing channels and detects phishing attacks from all types of sources, including personal and corporate email, social media, SMS and other messaging and apps. Lookout also detects access to malicious sites, including malware and spyware distribution, command and control servers, and botnets — from URLs delivered by any app or channel on a user’s device.

Hear why  phishing attacks are only getting more sophisticated.

Target Organization
URL
Live SSL Certificate
UN World Food Programme
fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com
Valid until November 23
United Nations Development Programme
logon.undp.org.adfs.ls.client-request-id.session-services.com
Valid until November 18
United Nations
sso.united.un.org.adfs.ls.clinet-request-id.session-services.com
Valid until November 15
UNICEF
login.unicef.org.adfs.ls.client-request-id.session-services.com
Valid until November 16
Heritage Foundation
heritage.onelogin.com.login.service-ssl-check.com
Valid until November 18
International Federation of the Red Cross and Red Crescent Societies
sts.ifrc.org.adfs.ls.client-request-id.session-services.com
Valid until November 16
United States Institute of Peace
login.microsoftonline.com.common.oauth2.ip.session-services.com
Expired August 3
Concern Worldwide
login.microsoftonline.com.common.oauth2.co.session-services.com
Expired September 8
Humanity and Inclusion (French)
login.microsoftonline.com.common.oauth2.hi.session-services.com
Expired September 7
Social Science Research Council Sign-On Portal
sso.ssrc.org.adfs.ls.client-request-id.63f91e15.service-ssl-check.com
Expired September 3
UC San Diego
login.microsoftonline.com.common.oauth2.uc.session-services.com
Expired August 3
East-West Center
eastwestcenter.org.owa.auth.logon.aspx.replacecurrent.service-ssl-check.com
Expired September 3
Unknown/ Inaccessible
login.microsoftonline.com.common.oauth2.br.session-services.com
Expired August 3
Unknown/ Inaccessible
login.microsoftonline.com.common.oauth2.client.us.service-ssl-check.com
Expired September 3
Unknown/ Inaccessible
login.microsoftonline.com.common.oauth2.client.al.service-ssl-check.com
Expired September 3
Unknown/ Inaccessible
login.microsoftonline.com.common.oauth2.client.hi.service-ssl-check.com
Expired September 3
Yahoo (German)
login.yahoo.com.manage-account.src-ym.lang-en-us.session-services.com
Expired August 3
AOL (German)
login.aol.com.account.challenge.oauth.session-services.com
Expired August 3

Author

Jeremy Richards,
Principal Security Researcher