Advanced Phishing Campaign Targeting Individuals & Businesses in the Middle East (Part 2)

November 28, 2022
4
min read

 

Category:

Adversary Intelligence

Industry:

Multiple

Motivation:

Financial

Region:

Middle East

Source*:

A1

Executive Summary

THREAT IMPACT MITIGATION
  • Large-scale BEC campaign targeting Middle East-based companies and their vendors.
  • Scam emails lure vendors under the pretext of vendor registration, contract bidding, etc.
  • Use domain forwarding to the original domain to establish trust.
  • Loss of revenue and reputation.
  • Deploy malware that can compromise the company’s data and infrastructure.
  • Resilient to takedowns because threat actors recycle static web pages to set up websites after suspension.
  • Verify payment requests using secure internal workflows.
  • Check email addresses and URLs for altered spellings.
  • Awareness campaigns to educate employees.
  • Real-time monitoring and takedowns.
  • Attribution of threat actors to address the root of the issue.

Analysis and Attribution

Information from the Post

CloudSEK’s contextual AI digital risk platform has uncovered a large-scale ongoing BEC scam that is targeting vendors of Middle East-based organizations and individuals.

Previously, CloudSEK researchers identified a suspicious domain that was sending phishing emails to the vendors of a real estate entity and UAE-based government organizations. Now, CloudSEK has unearthed a cluster of phishing domains registered using similar naming schemes to target contractors in the UAE in the guise of vendor registration, contract bidding, etc.

The threat actors behind this campaign are strategically buying/ registering domains with keywords similar to the victim domains and are targeting multiple industries, such as Travel and Tourism, Oil & Gas, Real Estate, and Investment across the Middle east.

Some domains have only an email server enabled while others have set up websites to trick the users into thinking that they are legitimate businesses.

Some scam domains redirect to legitimate domains to trick victims into trusting the phishing emails.

The campaign is resilient to takedowns or hosting bans as it uses pre-stored static web pages with similar templates. These are uploaded from one domain to another in case of a ban.

For example: There is a newly registered domain bids-snoc[.]com, impersonating Sharjah National Oil Corporation (SNOC), which will likely be used for future campaigns when the current fake domain is suspended.

Corporations Estimated Revenue
Abu Dhabi National Oil Company (ADNOC) $59 Billion
Sharjah National Oil Corporation (SNOC) $84 Million
Emirates National Oil Company (ENOC) $14 Billion

Of 35 phishing domains analyzed, over 90% of the look-alike domains targeting ADNOC, SNOC, and ENOC are hosted in North American. This preference is because there are several affordable providers in that region to choose from. Moreover, the service providers take time to process takedown requests.

The majority of these domains belong to Tucows Domains, which is slow to respond to requests for the suspension of domains used for illegal activity. This is in contrast to other domain name service providers, many of whom have a one to three-day response to reports.

BEC scams are popular among scammers because there is a high return on investment. For example, malware requires dedicated infrastructure. However, BEC scams only need a domain with an email server or a domain with a website and email server.

Domain with Email Server Only:

  • DNS records show that some of the phishing domains have multiple MX records set up to send emails.
  • The researchers have been able to obtain some of the emails sent by the scammers through OSINT (See Appendix). The emails appear to be properly formatted and grammatically correct. Hence, it can be inferred that these are not amateur campaigns. The threat actor appears to be veterans who have been targeting the region for a few years, with some of the domains dating back to 2020.
  • There are also a variety of scams being used to lure users. Apart from vendor registration and contract bidding, they also use fake job offers and investment opportunities to hoodwink victims. (See Appendix).
A scam email from one of the fake domains abdul-sattar-abdul-tr[.]com
A scam email from one of the fake domains abdul-sattar-abdul-tr[.]com
  • Zoho Mail is the preferred email service provider used by the threat actors behind this campaign. The reason is that using a third-party service removes the hassle of setting up email servers. Instead, the whole infrastructure is provided by a third party which includes services like DMARC to prevent email spoofing.
  • One of the likely reasons to use Zoho by the threat actors is that it provides a 15-day free trial for the Mail Premium plan without a credit card. So, either the threat actor is using this offer or has a premium subscription to the service which is not expensive.
Threat actors operating with look-alike domains and mail servers
Threat actors operating with look-alike domains and mail servers

Domains with Website and Email Servers:

In contrast to the domains with email servers only, the purpose of setting up websites is to establish legitimacy. Most of these domains masquerade as investment firms, hotels, and travel agencies.

Threat actor with a default website and a Zoho Mail server
Threat actor with a default website and a Zoho Mail server

Domains with Domain Forwarding and Email Server:

Another tactic that we observed was fake domains forwarding traffic to the legitimate domain to establish trust. For instance, the fake domain rfq-taziz[.]com performs an HTTP 301 (moved) redirect to the domain taziz[.]com, which is a chemicals company in UAE.

Threat actors set up domain forwarding and email server for operation
Threat actors set up domain forwarding and email server for operation

Resilience to Takedowns and Suspensions

Threat actors clone websites using HTTrack for easy set up on look-alike domains
Threat actors clone websites using HTTrack for easy set up on look-alike domains
  • Automatic creation of multiple static pages: The pages of fake websites have content generated using some software as the content seems to be copied from the web. For instance, duramtravels[.]com copies from altdubai[.]com and even has fake documents on it regarding the company (see Appendix). Moreover, a similar theme was used across multiple such fake websites.
  • Recycling of the pages: Backups of the fake websites are kept cloned via HTTrack software (see Appendix) whose signature was present in the source code. If one hosting provider blacklists them, the threat actors simply transfer the pages to another hosting service and the website is up again! The directory listing is enabled for some fake websites that show the entire image folders that can be shifted (see Appendix).
  • Similar Domain Names: When the domain is blacklisted, the threat actor obtains another look-alike domain and reuploads the static pages there. For example, the domain shh-hotel[.]com which was active earlier is now shh-hotels[.]com.

Prediction

  • It can be stated confidently that the threat actor will target SNOC again from a new domain bids-snoc[.]com which has been newly created on 17 Aug 2022 using the email hr.kashifgroup@gmail[.]com. The domain has no A records as of now but will be used in future attacks on SNOC once the email servers are set up.
  • The same email has also been used to register another new domain guarantfinancial[.]com on the same day. This domain has a fake finance website setup. So, it is likely that the threat actor will be sending emails related to fake investment opportunities using the website.

Conclusion

The cost-to-benefit ratio of a BEC is high as there is no need for a complex infrastructure like in the case of a malware campaign. Just a domain name with an email server and that too from a third party is sufficient to conduct these attacks. The threat actor then sends fake emails to the employees of the firms being targeted. These emails often contain fake pending payments, investment options, job offers, etc. To support this operation, these threat actors seems to have set up an entire network of such fake domains related to the finance, tourism, and travel sector. Which deploy a variety of techniques such as domain forwarding to establish the user trust and are quite resilient to takedowns.

Pursuing these attackers legally can limit their operations. However, this would be a challenging task given the structure of the internet wherein some domain name providers may be in another country while mail servers are in another. Thus, the best solution would be to take preventive measures to avoid them from happening in the first place. Like training the employees regarding BEC scams and making multi-level authentication and identification mechanism for payments.

References

Appendix

Domains registered with hr.kashifgroup@gmail[.]com, chai.mkopelmd@gmail[.]com, caywoodethanusarmy@gmail[.]com:

Phishing Domains Targeting ADNOC contact-adnocae[.]com

adnoc-vendor[.]com

bid-adnoc[.]com

tender-adnoc[.]com

tenders-adnoc[.]com

contracts-adnoc[.]com

contractors-adnoc[.]com

registration-adnoc[.]com

registrations-adnoc[.]com

Phishing Domains Targeting SNOC snocprojectae[.]com

snocprojectuae[.]com

snocproject-ae[.]com

snoc-projectae[.]com

snoc-projectuae[.]com

contract-snoc[.]com

ae-snocproject[.]com

uae-snocproject[.]com

ae-snoctenders[.]com

uae-snoctenders[.]com

Phishing Domains Targeting ENOC bid-enoc[.]com

biding-enoc[.]com

bidders-enoc[.]com

administrator-enoc[.]com

registrations-enoc[.]com

registration-ae-enoc[.]com

proposal-enoc[.]com

proposal-ae-enoc[.]com

proposals-ae-enoc[.]com

biddings-enoc[.]com

consultant-enoc[.]com

consultant-ae-enoc[.]com

consultants-ae-enoc[.]com

contractor-enoc[.]com

vendor-enocbid[.]com

 

Multiple industries being targeted:

Domains Registered using hr.kashifgroup@gmail.com Targeting Multiple Industries investinadio[.]com

adio-gov[.]com

salacomimmigration[.]com

alfujairah-ae[.]com

abbrossgeneralhospital[.]com

gulfins-ae[.]com

enacopetroleum[.]com

safetravel-services[.]com

hamraoilgroup[.]com

alhmodzinoilfildservices[.]com

rakpetrolae[.]com

aiischools[.]com

llhhospitals[.]com

dahilalcapitalinvest[.]com

duramtravelagency[.]com

snocuae[.]com

diligencefinconsultants[.]com

emarataljabrisolicitors[.]com

emsclikoil[.]com

zbavitae[.]com

rambolloil[.]com

enocbids[.]com

stabluk[.]com

mohregov-ae[.]com

harvesttravelagency[.]com

dibfinancialservice-uae[.]com

tenders-adio[.]com

tenders-aisschools[.]com

hpschooluae[.]com

rfq-taziz[.]com

ahaliahospitalae[.]com

abienceinvestments-fze[.]com

sheikhmouradoil[.]com

qatarenergys[.]com

kilimondoilgas-dubai[.]com

camschooluae[.]com

gulfmarineoilservices[.]com

quickcitytravel[.]com

globalhospae[.]com

westernmedicalspecialisthosp[.]com

bid-taqa[.]com

adbntogo[.]com

atenaeps[.]com

dubaiferryae[.]com

adnoc-vendor[.]com

easternbaytravels[.]com

siemenoilandgas[.]com

fenczyflyemiratetravels[.]com

nipmse[.]com

builds-emaar[.]com

specgulfae[.]com

zirvaenergy[.]com

eaglestravels-ae[.]com

stalinschoolintlacademy[.]com

nowmcopetroleum[.]com

flywaytravelandtourism[.]com

alzarafatravellsae[.]com

gulfcoastoilngas-ae[.]com

emspgenerahospae[.]com

 

Websites associated with the Google Analytics ID, UA-6175655:

Other Phishing Domains Identified using the Same Google Analytics Id: UA-6175655 oceanicflyimmigration[.]com

iconiqueimmigration[.]com

arabianmigration[.]com

abdul-sattar-abdul-tr[.]com

alfayhaatravels[.]com

flylinkimmigration[.]com

horsespeedtravel[.]com

toursolutions4u[.]com

 

 

One of the fake websites was flagged as a scam website
Website using a mobile number that has been flagged as “Fake Recruiters”

 

 

One of the fake websites’ phone numbers is blacklisted as a scam
One of the fake websites’ phone numbers is blacklisted as a scam

 

A scam email from one of the fake domain abienceinvestments-fze[.]com
A scam email from one of the fake domain abienceinvestments-fze[.]com
Source Code of a malicious domain showing the use of HTTrack software
Source Code of a malicious domain showing the use of HTTrack software
HTTrack software is used by the threat actor to keep clones of websites
HTTrack software is used by the threat actor to keep clones of websites

 

Directory listing enabled for duramtravels[.]com that contains documents from Alt Dubai on the server
Directory listing enabled for duramtravels[.]com that contains documents from Alt Dubai on the server

Schedule a CloudSEK demo

At CloudSEK, we predict cyber threats.

Our solutions have relevant use cases for several industries including BFSI. At CloudSEK, we combine the power of Cyber Intelligence, Brand Monitoring, Attack Surface monitoring, Infrastructure Monitoring and Supply chain to give visibility and context to our customer’s Initial Attack Vectors.

Interested to know more? Let our CloudSEK experts give you a detailed walkthrough of our platform’s capabilities.

 

Tags:
No items found.