Incidents

Phishing extreme

Recent advances in browsers as seen in Netscape 8 or IE7 have made it harder for the bad guys to succeed with their phishing schemes. In the malware world, technological advances stimulate the development of new ways to evade detection. And we’ve came by some interesting e-mails which seem to indicate the same is happening in the phishing area as well.

Our colleague Michael Molsner in Japan got an odd phishing e-mail on his address. The text is the usual “help keep your identity safe” and it pretends to come from PayPal. What’s interesting is the URL to the spoofed site, which points to a page on www.aafe.cn – the “Academy of Armoured Force Engenering”.

The Academy of Armoured Force Engenering

While the website appears to be legit, the page from the PayPal e-mail is not. It redirects the browser to a page on http://www.skycar.net.cn/ which loads an interesting Javascript.

This script runs maximized in the browser and presents the user with a window which looks like this:

As you can see, there is an Address field in the window which says “https://www.paypal.com/us”, but it is not the real browser address editbox! It’s a special field inside the Java applet which makes it look like it’s part of the browser window. Do note the real website address, as displayed by Opera – www.skycar.net.cn, in the blue bar. However, users who aren’t too careful about entering their PayPal data on websites might well be fooled.

Interestingly, Firefox doesn’t fall for this “trick” – it shows the fake “address bar” for a short time, then it hides it.

Phishing extreme

Your email address will not be published.

 

Reports

Kimsuky’s GoldDragon cluster and its C2 operations

Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea.

Andariel deploys DTrack and Maui ransomware

Earlier, the CISA published an alert related to a Stairwell report, “Maui Ransomware.” Our data should openly help solidify the attribution of the Maui ransomware incident to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly.

Subscribe to our weekly e-mails

The hottest research right in your inbox