Threat Level: green Handler on Duty: Yee Ching Tok

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Pivoting and Hunting for Shenanigans from a Reported Phishing Domain

Published: 2021-08-04
Last Updated: 2021-08-04 00:32:15 UTC
by Yee Ching Tok (Version: 1)
0 comment(s)

I was alerted to a web page masquerading as a local financial institution earlier in the day. The phishing web page was constructed well, looked extremely similar to the financial institution’s actual page and had input fields for victims to input their credentials. Fortunately, it was taken down quickly. However, I was unable to do further analysis on the perpetrator nor access the site to obtain data (for example, the phishing site allegedly restricted access only to mobile device browsers). Albeit a little disappointed, I analyzed the information that was sent to me and decided to pivot and hunt for a potential website that was involved in shenanigans.

Using the trusty Hurricane Electric’s BGP Toolkit [1], I investigated the IP address block of 104.219.248.0/24 (this was where the financial institution phishing site originated from). After examining the swath of domain names, I discovered a web site attempting to masquerade as the United Nations (UN) Peacekeeping site (Figure 1 shows the masqueraded site, while Figure 2 shows the real UN Peacekeeping site). At the first look, we can see that both websites had slightly different layouts, along with different favicons and page titles. There was also a tawk.to chat plugin observed on the masqueraded UN Peacekeeping site.

Figure 1: Masqueraded UN Peacekeeping Site

Figure 2: Official UN Peacekeeping Site

In contrast to the previous site that was analyzed in my previous diary [2], the graphics used by this site were self-hosted (the previous site used third-party image hosting sites). I also examined the HTML code, and observed that some portions of the code had comments written in Traditional Chinese characters (as compared to Simplified Chinese characters). This is highlighted in red boxes and shown in Figures 3 and 4.

Figure 3: HTML Code with Traditional Chinese Characters Comment (Translation: Configure pop-up selection button, fadeOut show/hide)

Figure 4: HTML Code with Traditional Chinese Characters Comment (Translation: Configure forget password, left right switch)

Several links in the website appear to redirect to the main index of the website, while others led to a HTTP 404 error message as the links were not configured properly. However, the videos section did redirect to the legitimate UN Web TV website, but there was a typo for “Featured Video” (as shown in Figure 5).

Figure 5: Typo on Masqueraded UN Peacekeeping Site

The masqueraded website also purportedly offered a mechanism to find military personnel. By clicking on the “Portal” button (highlighted in Figure 1), an input field and even a captcha image was displayed (as shown in Figure 6).  This was not found on the actual UN Peacekeeping site.

Figure 6: Military Personnel Search on Masqueraded Site

Input validation was not enforced on the masqueraded site. By clicking the “Track” button with no input showed an animation of train on tracks (with reference to Figure 7). Even if there were inputs, the page would still redirect to the page as shown in Figure 7.

Figure 7: Response to Search on Masqueraded Site

Finally, with reference to Figure 8, it was observed that the site had embedded Google Analytics to track and monitor visitors. However, after digging deeper into the Google Analytics Tracking ID, it turned out that the Tracking ID was copied by many people online and it appeared in several online sites such as forums, Stack Overflow and Pastebin.

Figure 8: Google Analytics Code on Masqueraded Site

There were many interesting takeaways after examining this masqueraded site, especially from Open-Source Intelligence (OSINT) and operational security (OPSEC) perspectives. This site could gather visitor and geolocation data via Google Analytics. However, the appearance of the same Tracking ID in many different online sites (especially those requesting for guidance in coding) meant that more efforts to trace its actual owner and first appearance/usage would be required.

Native data collection (Find a military personnel) and communications (tawk.to plugin) functionality were also present. Since the website was titled as “UN vacation Portal”, a plausible hypothesis could be that the perpetrators were fishing for information on vacationing UN Peacekeepers. For example, they could invite unsuspecting victims to input details of their colleagues (or even their own data) to verify their vacation status. Having such knowledge could facilitate phishing, social engineering attempts or even potential armed conflict. Another interesting observation was that the perpetrators chose to display current weather information of New York at the top of the site, and had made sure that the site appeared current by also putting in a banner about COVID-19 information. As of now, attribution would be difficult since more data will be needed. Having said that, considering all the points raised and observations, this web site most certainly do not appear to be benign.

The indicators of compromise of the site are listed below.

Indicators of Compromise (IOCs):
hxxp://office-un-peacekeeping[.]com
104.219.248[.]9

References:
[1] https://bgp.he.net/
[2] https://isc.sans.edu/diary/27456

-----------
Yee Ching Tok, ISC Handler
Personal Site
Twitter

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Three Problems with Two Factor Authentication
Aug 3rd 2021
1 day ago by Johannes (0 comments)

Is this the Weirdest Phishing (SMishing?) Attempt Ever?
Aug 3rd 2021
1 day ago by Johannes (0 comments)

Changing BAT Files On The Fly
Aug 2nd 2021
2 days ago by DidierStevens (0 comments)

procdump Version 10.1
Aug 1st 2021
4 days ago by DidierStevens (0 comments)

Unsolicited DNS Queries
Jul 31st 2021
4 days ago by Guy (0 comments)

Infected With a .reg File
Jul 30th 2021
5 days ago by Xme (0 comments)

Malicious Content Delivered Through archive.org
Jul 29th 2021
1 week ago by Xme (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
1 month ago by Rick (0 replies)

API port data
created Apr 25th 2021
3 months ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
3 months ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
5 months ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
5 months ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

"Summer of SAM": Microsoft Releases Guidance for CVE-2021-36934
Jul 22nd 2021
1 week ago by Johannes (0 comments)

Securing and Optimizing Networks: Using pfSense Traffic Shaper Limiters to Combat Bufferbloat
Jul 12th 2021
3 weeks ago by Johannes (0 comments)

DIY CD/DVD Destruction - Follow Up
Jul 4th 2021
1 month ago by DidierStevens (0 comments)

Maldocs: Protection Passwords
Feb 28th 2021
5 months ago by DidierStevens (0 comments)

An infection from Rig exploit kit
Jun 17th 2019
2 years ago by Brad (0 comments)