Hackers infected Pakistani immigration website with data-scraping Scanbox malware

Hackers infected Pakistani immigration website with data-scraping Scanbox malware

Hackers infected Pakistani immigration website with data-scraping malware

If you are planning to visit Pakistan soon, you may want to postpone your trip for a while as the Pakistani government’s website for immigration and passport services has been leaking personal details of passport applicants to hackers.

Researchers at security firm Trustwave recently observed that hackers had breached tracking.dgip.gov.pk, a website owned by the Directorate General of Immigration & Passport of the Pakistani government, and injected a payload known as the Scanbox Framework into the domain.

Scanbox is a well-known malware payload used widely by cyber criminals to gather information about visitors to targeted websites and to scrape information filled by visitors on online forms. While it is not known when Scanbox was injected into the Pakistani government’s website for immigration and passport services, researchers are certain that hackers behind the payload have been harvesting detailed personal information of people who visited the domain in the recent past.

The researchers first observed Scanbox on the breached website on 2nd March and on that day alone, Scanbox managed to collect information on at least 70 unique site visitors, about a third of them with recorded credentials.

Scanbox used in multiple cyber attack campaigns

“Scanbox Framework is a reconnaissance framework that was first mentioned back in 2014 and has been linked over the years to several different APT groups. Its intense activity during the 2014-2015 years has been well-covered in a paper written by PwC. It was then seen again in 2017 suspected to be used by the Stone Panda APT group, and once more in 2018 in connection with LuckyMouse.

“Scanbox was used in a variety of watering hole attacks, meaning the attacker infected a site with Scanbox in order to gather information about visitors to the site (gathering all the information you’d expect like IP, referrer, OS, User Agent, plugins, etc.) to, later on, tailor sophisticated targeted attacks for interesting visitors. With every appearance, it seems to have evolved in terms of the kinds of information it gathers,” Trustwave said.

According to the firm, neither has the Pakistani government responded to the firm highlighting the presence of Scanbox on its website nor has it taken any action to evict the payload from the affected site. What this means is that people should avoid visiting the domain or entering any personal information in it to prevent their personal data from falling into the hands of cyber criminals.

ALSO READ: Cyber criminals combining Vidar & GandCrab malware to infect devices

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]