Phishing Campaign - 10 August 2022

182/2022
High
August 11, 2022
4:30 pm

EG-FinCIRT has detected a massive phishing campaign focused on collecting credentials of financial institutions’ employees.

The detected phishing campaign targets the organizations’ employees by sending a phishing email from a newly created domain to ensure they have clean records to alert the targeted users about “E-mail Storage Full” and persuade them to enter their username and password to archive the mailbox messages.

The campaign uses dynamic web applications to host its front-end pages. In addition, the hosted domains are dynamically converted to a cloned version of the original targeted user’s organization domain to be more convincible. The below screenshot shows an example of a cloned web page, taking into consideration that the same behavior will happen if any other domain is typed after the phishing URL. It should be highlighted that the mentioned technique didn`t succeed if the web applications of the targeted user were protected from being cloned.

The below screenshot shows an example of a cloned web page, taking into consideration that the same behavior will happen if any other domain is typed after the phishing URL. It should be highlighted that the mentioned technique didn`t succeed if the web applications of the targeted user were protected from being cloned.

Once the targeted victim opens the malicious URL, it will show a login panel to drag the targeted victims to enter their credentials. After that, it sends another POST request to another domain to gather the credentials, as the below screenshot shows:

Indicators Of Compromise

Indicators of compromise will be shared with EG-FinCIRTs’ constituents

Mitigations

Block all outbound connections to the mentioned domains.
Alert all users who might receive such malicious emails to change their passwords as soon as possible and notify EG-FinCIRT.
Conduct security awareness training sessions for staff so that they will know the risk associated with phishing attacks and how to distinguish them.
Protect your organization’s web applications from being cloned.

References

Egyptian Financial Computing Incident Response Team (EG-FinCIRT)

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.