October 14, 2019

Phishing Attack Targeting UN Discovered by Lookout Phishing AI

United nations building with united nation flags in the background.

Lookout Phishing AI has detected a mobile-aware phishing campaign targeting non-governmental organizations around the world, including a variety of United Nations humanitarian organizations, such as UNICEF. Lookout has contacted law enforcement and the targeted organizations, but as of the publication of this blog the attack is still ongoing.                     

Background on the phishing campaign

The infrastructure connected to this attack has been live since March 2019. Two domains have been hosting phishing content, session-services[.]com and service-ssl-check[.]com, which resolved to two IPs over the course of this campaign: 111.90.142.105 and 111.90.142.91. The associated IP network block and ASN (Autonomous System Number) is understood by Lookout to be of low reputation and is known to have hosted malware in the past.

Mobile-Aware functionality and key logging

Lookout has identified several noteworthy techniques employed in this campaign, including its ability to detect mobile devices and to log keystrokes directly as they are entered in the password field.

Specifically, Javascript code logic on the phishing pages detects if the page is being loaded on a mobile device and delivers mobile-specific content in that case. Mobile web browsers also unintentionally help obfuscate phishing URLs by truncating them, making it harder for the victims to discover the deception.

Lookout has also collected evidence of key logging functionality embedded in the password field of the phishing login pages, such that, if a target doesn’t complete the login activity by pressing the login button or if they enter another, unintended password, this information is still sent back to the command and control infrastructure operated by the malicious actor.

SSL certificates and humanitarian aid domains

All major browsers will alert users about the use of expired SSL certificates. As these warnings are very clear (and in fact often hard to dismiss) it would be near impossible to entice a user to enter their login credentials on a site that uses an expired certificate. As a result, expired SSL certificates observed on some of the phishing sites can provide insight into the time period of the attack.

SSL certificates used by the phishing infrastructure had two main ranges of validity: May 5, 2019 to August 3, 2019, and June 5, 2019 to September 3, 2019. Currently six certificates are still valid, and Lookout suspects that these attacks may still be ongoing. A table at the end of this blog shows the targeted organizations, the URLs targeting them as well as whether the current SSL certificate on the site is valid as of writing this report.

A sample of one of the live phishing sites discovered by Lookout researchers. Top: The legitimate login page targeted by this phishing attack. Bottom: The phishing site mimicking the legitimate Office365 login page for employees of the International Federation of Red Cross and Red Crescent Societies.

Lookout Phishing and Content Protection

The mobile-aware component found in this campaign is further proof that phishing attacks have evolved to target mobile devices. Mobile phishing has emerged as a source of increasing risk for enterprises, as the post-perimeter world and widespread adoption of bring your own device (BYOD) policies blurs the lines between personal devices and corporate networks, not to mention the expanded multi-channel threat surface presented by such devices and mobility as a whole.

Lookout Phishing & Content Protection goes beyond traditional phishing channels and detects phishing attacks from all types of sources, including personal and corporate email, social media, SMS and other messaging and apps. Lookout also detects access to malicious sites, including malware and spyware distribution, command and control servers, and botnets — from URLs delivered by any app or channel on a user’s device.

Target Organization URL Live SSL Certificate Additional Info
UN World Food Programme fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com Valid until November 23 -
United Nations Development Programme logon.undp.org.adfs.ls.client-request-id.session-services.com Valid until November 18 -
United Nations sso.united.un.org.adfs.ls.clinet-request-id.session-services.com Valid until November 15 -
UNICEF login.unicef.org.adfs.ls.client-request-id.session-services.com Valid until November 16 -
Heritage Foundation heritage.onelogin.com.login.service-ssl-check.com Valid until November 18 -
International Federation of the Red Cross and Red Crescent Societies sts.ifrc.org.adfs.ls.client-request-id.session-services.com Valid until November 16 -
United States Institute of Peace login.microsoftonline.com.common.oauth2.ip.session-services.com Expired August 3 -
Concern Worldwide login.microsoftonline.com.common.oauth2.co.session-services.com Expired September 8 -
Humanity and Inclusion (French) login.microsoftonline.com.common.oauth2.hi.session-services.com Expired September 7 -
Social Science Research Council Sign-On Portal sso.ssrc.org.adfs.ls.client-request-id.63f91e15.service-ssl-check.com Expired September 3 -
UC San Diego login.microsoftonline.com.common.oauth2.uc.session-services.com Expired August 3 -
East-West Center eastwestcenter.org.owa.auth.logon.aspx.replacecurrent.service-ssl-check.com Expired September 3 -
Unknown/ Inaccessible login.microsoftonline.com.common.oauth2.br.session-services.com Expired August 3 -
Unknown/ Inaccessible login.microsoftonline.com.common.oauth2.client.us.service-ssl-check.com Expired September 3 -
Unknown/ Inaccessible login.microsoftonline.com.common.oauth2.client.al.service-ssl-check.com Expired September 3 -
Unknown/ Inaccessible login.microsoftonline.com.common.oauth2.client.hi.service-ssl-check.com Expired September 3 -
Yahoo (German) login.yahoo.com.manage-account.src-ym.lang-en-us.session-services.com Expired August 3 -
AOL (German) login.aol.com.account.challenge.oauth.session-services.com Expired August 3 -

Authors

Jeremy Richards

Principal Security Researcher

Jeremy Richards is a Staff Security Researcher at Lookout. Jeremy’s hacking career started in 1995 at the age of 14 when he started flipping bits to bypass Leisure Suit Larry 1 age restrictions. Jeremy has taken his years of research experience to mobile and while studying active malware campaigns and searching for evasion techniques in the Lookout corpus he has begun mapping actors to campaigns through habits of operation, infrastructure characteristics, and (sometimes hilarious) opsec fails.

Entry Type
Threat Summary
Threat Type
Phishing
Platform(s) Affected
Threat Summary
Phishing

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell