A massive phishing campaign aimed at stealing Okta, Office 365 and Outlook account credentials of victims has been found targeting a number of United Nations humanitarian organisations such as UNICEF and the International Federation of Red Cross and Red Crescent Societies.
Detailed research into the phishing campaign by Lookout revealed that it also targeted several other organisations such as the UN World Food Programme, Heritage Foundation, United States Institute of Peace, Concern Worldwide, Humanity and Inclusion, Social Science Research Council, and the United Nations itself.
The campaign involved cyber criminals sending emails to victims working at these targeted organisations with links that spoof the websites of these organisations. Once a victim clicks on a fruaudulent web link, they are asked to fill in their enterprise login credentials to access further content.
“Mobile phishing has emerged as a source of increasing risk for enterprises, as the post-perimeter world and widespread adoption of bring your own device (BYOD) policies blurs the lines between personal devices and corporate networks, not to mention the expanded multi-channel threat surface presented by such devices and mobility as a whole,” the firm noted.
Phishing campaign used SSL certs, keyloggers & mobile-specific content
The security firm also observed that the phishing pages feature embedded key logging functionality that can capture keystrokes when victims type on the password field and send the information back to the command and control infrastructure operated by the malicious actor.
According to Lookout, cyber criminals behind this phishing campaign used a range of SSL certificates that were valid between May 5 and August 3 this year and between June 5 and September 3 this year. Considering that six SSL certificates used to run the phishing URLs are still valid, there is a possibility that the phishing campaign may still be ongoing.
“These latest attacks targeting United Nations and global charity websites use TLS certificates to make malicious domains appear legitimate, they take advantage of the implicit trust users have in the green padlock created by TLS certificates,” says Kevin Bocek, VP security strategy & threat intelligence at Venafi.
“This may appear sophisticated, but these kinds of phishing attacks are very common. For example, in 2017, security researchers uncovered over 15,000 certificates containing the word ‘PayPal’ that were being used in attacks. And in June, the FBI issued a warning stating that the green padlock on websites doesn’t mean the domain is trustworthy and safe from cyber criminals.
“In order to protect businesses and users, security teams must identify all the legitimate TLS certificates on their own networks. They also need to identify fraudulent certificates issued by attackers that are being used to impersonate their organisation. Technologies like certificate transparency and certificate reputation can definitely help, but as the number of certificates issued every day continues to skyrocket, more help is definitely needed,” he adds.
Commenting on the threat posed to the world by this phishing campaign, Corin Imai, senior security advisor at DomainTools, says that if a threat actor was successful in phishing an employee at the United Nations, or at any of the other humanitarian organisations targeted, the data they potentially gained access to could have serious geopolitical ramifications, had it been stolen.
“Every organisation should take cybersecurity training seriously, but it is of exceptional importance that global governing bodies such as the UN provide rigorous training for employees,” he adds.