Phishing Campaign Spoofs United Nations and Multiple Other Organizations

Anomali Labs researchers recently discovered a phishing site masquerading as a login page for the United Nations (UN) Unite Unity, a single sign-on (SSO) application used by UN staff. When visitors attempt to login into the fraudulent page, their browser is redirected to an invitation for a film viewing at the Poland Embassy in Pyongyang dated September 2018. Further analysis of the threat actor’s infrastructure uncovered a broader phishing campaign targeting several email providers, financial institutions, and a payment card provider. We expect to see malicious actors continue to target the United Nations staff as well as the listed brands and their users with faux login pages designed to pilfer their user credentials for resale on criminal forums and marketplaces and in the case of financial accounts to steal payment card information.

Prior to the release of this blog post, we have submitted the phishing sites to Google Safebrowsing and Microsoft for blacklist consideration.

Initial Discovery

On February 17th, 2019, Anomali Labs researchers discovered a host cloud[.]unite[.]un[.]org[.]docs-verify[.]com bearing a strong resemblance to the legitimate domain name unite.un[.]org used by the United Nations. When navigating to the suspicious subdomain, users are displayed with a phishing site mimicking a United Nations’ Unite Identity login page. According to the UN Unite website, Unite Identity is a single sign-on (SSO) application that allows UN staff to log into various systems such as webmail and internal databases using a single-user ID and password. The phishing site requests users enter their email address ending in @un[.]org and Unite Identity password. The phishing page, a cloned version of the legitimate site, warns users of fake UN websites designed to steal usernames and passwords as well as provides a copy of the website address for the legitimate Unite Identity login page. Therefore, we judge with high confidence that this phishing page is designed to trick United Nations’ staffers into disclosing their user credentials.

Phishing page mimicking the United Nations’ Unite Identity login site
Figure 1. Phishing page mimicking the United Nations’ Unite Identity login site

Once users input their credentials and select the blue “Sign in” button, they are redirected to a page for a PDF file named”Invitation.pdf” (MD5: 3a90141002ad87068777d7cc81aa5812), which based on the file’s metadata was created on September 04, 2018. According to the file’s content, it is a community-wide invitation for a Polish film titled “Loving Vincent” at the Embassy of the Republic of Poland in Pyongyang (North Korea) on September 6, 2018 at 6:30 local time. When processed through VirusTotal and Hybrid Analysis, there were no immediate signs of a malware infected file; therefore, it is unclear as to the purpose behind it.

Screenshot of invitation for film viewing at the Poland Embassy in Pyongyang
Figure 2. Screenshot of invitation for film viewing at the Poland Embassy in Pyongyang

SSL Certificate Analysis

The server hosting the UN-themed phishing site had a self-signed SSL/TLS certificate (SN: 276742105605466998454240396830933951554982) installed that was issued by Let’s Encrypt, a free certificate provider. The certificate is valid for 90-days starting on January 29, 2019 and expiring on April 29, 2019. The certificate’s Subject Alternative Name (SAN) revealed a total of 12 suspicious subdomain names of the parent domain docs-verify[.]com targeting four email providers Yahoo, AOL, NetEase, and 163.com. At the time of this writing, 6 out of the 12 subdomains hosted replica pages mimicking login sites for the United Nations, Yahoo, AOL, and 163.com.

SSL Certificate Subject Alternative Name for fraudulent sites targeting the UN, Yahoo, AOL, 163.com, NetEase
Figure 3. SSL Certificate Subject Alternative Name for fraudulent sites targeting the UN, Yahoo, AOL, 163.com, NetEase

Faux login pages for Yahoo, AOL, and 163.com
Figure 4. Faux login pages for Yahoo, AOL, and 163.com

Domain and IP Address Analysis

A Whois record lookup of the parent domain docs-verify[.]com identified it was registered with Malaysian Registrar and Hosting Provider Shinjiru Technology Sdn Bhd on August 1, 2018 by a registrant named “Leslie T. Alexander” of Bedford, Maine, who uses the email address leslietalexander{at}protonmail[.]com. The parent domain and the 12 associated subdomains resolved to a Malaysia-based IP address 111.90.142[.]52 (AS45839 – Shinjiru Technology Sdn Bhd), which is the host for 33 total domains. A review of these 32 additional domains uncovered multiple suspect sites which include phishing sites targeting Visa Vanilla Gift Cards, Caixa Bank of London, and First Texas Bank.

Suspected phishing sites targeting Visa Vanilla Gift Cards, Caixa Bank of London, and First Texas Bank
Figure 5. Suspected phishing sites targeting Visa Vanilla Gift Cards, Caixa Bank of London, and First Texas Bank

Preventing Yourself from Falling Victim to Phishing Attacks

  • Be wary of unsolicited emails from untrusted users and refrain from opening any file attachments or clicking on any embedding hyperlinks especially when the sender requests for you to visit a suspicious-looking site requesting your account credentials.
  • Ensure to update your operating system and applications with the latest patches as soon as they become available
  • Use an antivirus and firewall solution and make sure they are always up-to-date with the latest patches and antivirus signatures
  • If you encounter a suspicious email or website, report it to your organization’s security contact and authorities within your area.
  • Always inspect the website address to ensure the legitimate website is properly displayed. Do not blindly trust that the padlock located at the top left of the address bar signifies that the website is legitimate as it only indicates the information moved from your computer to the requested site is encrypted.
  • United Nations staff members looking to sign in to the Unite Identity website, ensure that you visit the legitimate address before attempting to remotely access your account.
  • The listed organization’s security personnel should verify the phishing sites and request a domain and/or website takedown to prevent your users and clients from falling prey to this latest phishing scheme.

References

Appendix A – Indicators of Compromise

Indicator of Compromise Description
docs-verify[.]com Malicious site used to host multiple phishing pages
111.90.142[.]52 Malicious server hosting multiple suspicious and phishing sites
leslietalexander{at}protonmail[.]com Email address associated with registrant named Leslie Alexander who registered the domain doc-verify[.]com
cloud[.]unite[.]un[.]org[.]docs-verify[.]com United Nations-themed phishing site
www[.]cloud[.]unite[.]un[.]org[.]docs-verify[.]com United Nations-themed phishing site
276742105605466998454240396830933951554982 Serial number for Let’s Encrypt SSL/TLS Certificate installed on the malicious server used to target the United Nations, AOL, Yahoo, NetEase, and 163.com
163-services[.]docs-verify[.]com 163.com-themed phishing site
163[.]docs-verify[.]com 163.com-themed phishing site
cloud[.]aol[.]com[.]documents[.]unite[.]docs-verify[.]com AOL-themed phishing site
cloud[.]yahoo[.]com[.]documents[.]unite[.]docs-verify[.]com Yahoo-themed phishing site
download-netease[.]docs-verify[.]com NetEase-themed phishing site
www[.]163-services[.]docs-verify[.]com 163.com-themed phishing site
www[.]163[.]docs-verify[.]com 163.com-themed phishing site
www[.]cloud[.]aol[.]com[.]documents[.]unite[.]docs-verify[.]com AOL-themed phishing site
www[.]cloud[.]yahoo[.]com[.]documents[.]unite[.]docs-verify[.]com Yahoo-themed phishing site
www[.]download-netease[.]docs-verify[.]com NetEase-themed phishing site
hxxp://onevanillabalance[.]xyz Suspected phishing site mimicking Visa Vanilla Gift Card
hxxp://onevanillagift[.]net Suspected phishing site mimicking Visa Vanilla Gift Card
hxxp://onevanillainsight[.]xyz Suspected phishing site mimicking Visa Vanilla Gift Card
hxxp://checkonevanillabalanceonline[.]com Suspected phishing site mimicking Visa Vanilla Gift Card
hxxp://caixyonline[.]net Suspected phishing site mimicking Caixa Bank of London
hxxp://firsttexaen[.]com Suspected phishing site mimicking First Texas Bank

Appendix B – Whois Record for docs-verify[.]com

Whois Record for docs-verify[.]com

Anomali Labs

About the Author

Anomali Labs