- Category: Adversary Intelligence
- Industry: Government
- Motivation: Fraud Campaigns
- Region: Middle East
- Source*: D - Fairly Reliable; 4 - Probably true
- A furniture selling website redirected to a phishing page targeting an entity belonging to Qatar’s government.
- The website required the targeted victim to enter a password to the targeted entity.
- Getting access to the credentials of the targeted email can lead to potential access and exploitation of websites, and tenders.
- The same email is for developers contact, implying all files hosted on the website and for NAS accounts.
- Monitor for anomalies in user accounts, which could indicate possible account takeovers.
- Audit/monitor event & incident logs to identify unusual patterns/behaviors.
- Check for emails/messages originating from spam/suspicious sources.
Analysis of the Phishing Page
On 14 February 2023, CloudSEK’s Threat Intelligence Team discovered an URL, wherein an open redirection vulnerability was exploited to direct the victim to a login page of an entity belonging to the government of Qatar. The login was by default set to a domain belonging to the Qatar government, indicating the target of the attack. The phishing page had a substandard design loosely trying to trick a victim into entering credentials, hosted on the website.
Open Redirect Vulnerability:
Open redirect vulnerability arises when an URL redirects to an arbitrary unsafe website, through user input data. This helps the attackers to target more victims since they’re likely to click the links of trusted websites, unknowingly being redirected to the attacker's hosted content.
Upon entering the credentials, the website displays an error indicating invalid credentials are entered. However, by inspecting the Network requests, a 302 POST request was made to the URL of a Californian bank where credentials were being forwarded. (For more information please refer to the Appendix)
Information from the Open Web
By analyzing the initial domain that redirected to the phishing URL, it was observed that a vulnerability in the URL can aid in redirecting to any desired domain. This exploitation was evident in multiple instances found of the domain.
A domain belonging to a Swiss manufacturer of floor coverings was found vulnerable to this vulnerability and was used to redirect to the Qatar government entity targeted by the attackers.
As of today, the vulnerability and the phishing page are still active.
This was likely done to evade detection by the victims. The phishing domains starting with ipfs[.]io are known to be widely exploited by threat actors for phishing in the past. Thus, to avoid phishing alerts by search engines, threat actors made use of open redirect vulnerability. (For more information please refer to the Appendix)
InterPlanetary File System (IPFS) is a protocol that enables peer-to-peer data storage and transmission through a distributed file system. Being free to host and access, attackers can access the data(content) with the correct CID, whereas IPFS enables transport encryption. Based on the analysis from October 2022, until today while writing this report, ipfs[.]io has been used over 761 times to create phishing domains.