UN, UNICEF, Red Cross officials targeted in recent phishing campaign

Phishing sites first appeared in March, are not blocked in Google's Safe Browsing, and are still active today.

united nations UN

Special feature

Special report: A winning strategy for cybersecurity (free PDF)

This ebook, based on the latest ZDNet/TechRepublic special feature, offers a detailed look at how to build risk management policies to protect your critical digital assets.

Read More

Over the past few months, a pervasive spear-phishing campaign has hit a slew of human rights organizations across the world, with some of the victims including the Red Cross, UNICEF, and the UN World Food and the UN Development programs.

The attack was discovered by cyber-security firm Lookout. The company said the sites and the server infrastructure behind them have been up until March this year.

Some sites have been up for so long without being detected and reported that the SSL certificate that was used to serve them via HTTPS had time to expire.

None of the phishing sites that Lookout discovered and provided to ZDNet in a report last week were included in Google Safe Browsing, a database of bad links that web browsers query to show alerts to users. This means that most users wouldn't receive an alert when navigating to any of these sites.

Unclear if nation-state hackers or BEC scammers

Lookout said they contacted both law enforcement and the targeted organizations to warn them of the attacks.

ZDNet also reached out to some of the humanitarian organizations, but they declined to comment. A UN spokesperson said that members often receive anti-phishing materials and alerts, and are recommended to enable multi-factor authentication.

Lookout said it was unclear who was behind the attacks. This could range from nation-state hacking groups to regular cybercrime organizations.

"We can't speculate on attribution," Jeremy Richards, principal security researcher at Lookout, told ZDNet in an email this week.

"The motive of the attack is to compromise Okta and Microsoft credentials to gain access to these accounts, which could be used for further attacks or intelligence gathering."

A member of a human rights advocacy group told this reporter in an encrypted chat this week that organizations such as his or the ones listed in the Lookout report are often the targets of all sorts of groups.

State-sponsored groups want to breach human rights organizations to learn of any ongoing investigations, to track local or abroad whistleblowers, or gain intelligence on organization members to harass them at later points.

Similarly, human rights groups are also regularly targeted by regular financially-motivated hackers, such as BEC (business email compromise) scammers, who want to hijack payments or steal funds.

"It's no difference to them if we're a hardware vendor or NGO. All they want is the money," our source told us.

Campaign still ongoing

As for this particular campaign, Lookout said that the phishing pages they analyzed were different from the vast majority of phishing sites.

For starters, the pages were mobile-friendly, meaning they'd also load and look properly on small-screen devices like tablets and smartphones.

Second, the phishing pages also contained code that logged passwords as they were entered in real-time, and not only when the user submitted the login form. This technique is a clever one, rarely seen on most phishing sites, because it allows attackers to get the user's data even if they later spot the phishing page and abandon the site without submitting the login credentials.

Lookout said the servers hosting the phishing sites are still active today. The list of phishing pages associated with this campaign is listed below. More indicators of compromise are available in the company's report.

un-phishing.png

Image: Lookout