Advanced Phishing Campaign Targeting Individuals & Businesses in the Middle East (Part 2)

CloudSEK’s contextual AI digital risk platform has uncovered a large-scale ongoing BEC scam that is targeting vendors of Middle East-based organizations and individuals.
Updated on
April 19, 2023
Published on
November 28, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
 
Category: Adversary Intelligence Industry: Multiple Motivation: Financial Region: Middle East Source*: A1

Executive Summary

THREAT IMPACT MITIGATION
  • Large-scale BEC campaign targeting Middle East-based companies and their vendors.
  • Scam emails lure vendors under the pretext of vendor registration, contract bidding, etc.
  • Use domain forwarding to the original domain to establish trust.
  • Loss of revenue and reputation.
  • Deploy malware that can compromise the company’s data and infrastructure.
  • Resilient to takedowns because threat actors recycle static web pages to set up websites after suspension.
  • Verify payment requests using secure internal workflows.
  • Check email addresses and URLs for altered spellings.
  • Awareness campaigns to educate employees.
  • Real-time monitoring and takedowns.
  • Attribution of threat actors to address the root of the issue.

Analysis and Attribution

Information from the Post

CloudSEK’s contextual AI digital risk platform has uncovered a large-scale ongoing BEC scam that is targeting vendors of Middle East-based organizations and individuals. Previously, CloudSEK researchers identified a suspicious domain that was sending phishing emails to the vendors of a real estate entity and UAE-based government organizations. Now, CloudSEK has unearthed a cluster of phishing domains registered using similar naming schemes to target contractors in the UAE in the guise of vendor registration, contract bidding, etc. The threat actors behind this campaign are strategically buying/ registering domains with keywords similar to the victim domains and are targeting multiple industries, such as Travel and Tourism, Oil & Gas, Real Estate, and Investment across the Middle east. Some domains have only an email server enabled while others have set up websites to trick the users into thinking that they are legitimate businesses. Some scam domains redirect to legitimate domains to trick victims into trusting the phishing emails. The campaign is resilient to takedowns or hosting bans as it uses pre-stored static web pages with similar templates. These are uploaded from one domain to another in case of a ban. For example: There is a newly registered domain bids-snoc[.]com, impersonating Sharjah National Oil Corporation (SNOC), which will likely be used for future campaigns when the current fake domain is suspended.
Corporations Estimated Revenue
Abu Dhabi National Oil Company (ADNOC) $59 Billion
Sharjah National Oil Corporation (SNOC) $84 Million
Emirates National Oil Company (ENOC) $14 Billion
Of 35 phishing domains analyzed, over 90% of the look-alike domains targeting ADNOC, SNOC, and ENOC are hosted in North American. This preference is because there are several affordable providers in that region to choose from. Moreover, the service providers take time to process takedown requests. The majority of these domains belong to Tucows Domains, which is slow to respond to requests for the suspension of domains used for illegal activity. This is in contrast to other domain name service providers, many of whom have a one to three-day response to reports. BEC scams are popular among scammers because there is a high return on investment. For example, malware requires dedicated infrastructure. However, BEC scams only need a domain with an email server or a domain with a website and email server.

Domain with Email Server Only:

  • DNS records show that some of the phishing domains have multiple MX records set up to send emails.
  • The researchers have been able to obtain some of the emails sent by the scammers through OSINT (See Appendix). The emails appear to be properly formatted and grammatically correct. Hence, it can be inferred that these are not amateur campaigns. The threat actor appears to be veterans who have been targeting the region for a few years, with some of the domains dating back to 2020.
  • There are also a variety of scams being used to lure users. Apart from vendor registration and contract bidding, they also use fake job offers and investment opportunities to hoodwink victims. (See Appendix).
[caption id="attachment_21710" align="alignnone" width="614"]A scam email from one of the fake domains abdul-sattar-abdul-tr[.]com A scam email from one of the fake domains abdul-sattar-abdul-tr[.]com[/caption]
  • Zoho Mail is the preferred email service provider used by the threat actors behind this campaign. The reason is that using a third-party service removes the hassle of setting up email servers. Instead, the whole infrastructure is provided by a third party which includes services like DMARC to prevent email spoofing.
  • One of the likely reasons to use Zoho by the threat actors is that it provides a 15-day free trial for the Mail Premium plan without a credit card. So, either the threat actor is using this offer or has a premium subscription to the service which is not expensive.
[caption id="attachment_21711" align="alignnone" width="928"]Threat actors operating with look-alike domains and mail servers Threat actors operating with look-alike domains and mail servers[/caption]

Domains with Website and Email Servers:

In contrast to the domains with email servers only, the purpose of setting up websites is to establish legitimacy. Most of these domains masquerade as investment firms, hotels, and travel agencies. [caption id="attachment_21712" align="alignnone" width="1690"]Threat actor with a default website and a Zoho Mail server Threat actor with a default website and a Zoho Mail server[/caption]

Domains with Domain Forwarding and Email Server:

Another tactic that we observed was fake domains forwarding traffic to the legitimate domain to establish trust. For instance, the fake domain rfq-taziz[.]com performs an HTTP 301 (moved) redirect to the domain taziz[.]com, which is a chemicals company in UAE. [caption id="attachment_21713" align="alignnone" width="943"]Threat actors set up domain forwarding and email server for operation Threat actors set up domain forwarding and email server for operation[/caption]

Resilience to Takedowns and Suspensions

[caption id="attachment_21714" align="alignnone" width="971"]Threat actors clone websites using HTTrack for easy set up on look-alike domains Threat actors clone websites using HTTrack for easy set up on look-alike domains[/caption]
  • Automatic creation of multiple static pages: The pages of fake websites have content generated using some software as the content seems to be copied from the web. For instance, duramtravels[.]com copies from altdubai[.]com and even has fake documents on it regarding the company (see Appendix). Moreover, a similar theme was used across multiple such fake websites.
  • Recycling of the pages: Backups of the fake websites are kept cloned via HTTrack software (see Appendix) whose signature was present in the source code. If one hosting provider blacklists them, the threat actors simply transfer the pages to another hosting service and the website is up again! The directory listing is enabled for some fake websites that show the entire image folders that can be shifted (see Appendix).
  • Similar Domain Names: When the domain is blacklisted, the threat actor obtains another look-alike domain and reuploads the static pages there. For example, the domain shh-hotel[.]com which was active earlier is now shh-hotels[.]com.

Prediction

  • It can be stated confidently that the threat actor will target SNOC again from a new domain bids-snoc[.]com which has been newly created on 17 Aug 2022 using the email hr.kashifgroup@gmail[.]com. The domain has no A records as of now but will be used in future attacks on SNOC once the email servers are set up.
  • The same email has also been used to register another new domain guarantfinancial[.]com on the same day. This domain has a fake finance website setup. So, it is likely that the threat actor will be sending emails related to fake investment opportunities using the website.

Conclusion

The cost-to-benefit ratio of a BEC is high as there is no need for a complex infrastructure like in the case of a malware campaign. Just a domain name with an email server and that too from a third party is sufficient to conduct these attacks. The threat actor then sends fake emails to the employees of the firms being targeted. These emails often contain fake pending payments, investment options, job offers, etc. To support this operation, these threat actors seems to have set up an entire network of such fake domains related to the finance, tourism, and travel sector. Which deploy a variety of techniques such as domain forwarding to establish the user trust and are quite resilient to takedowns. Pursuing these attackers legally can limit their operations. However, this would be a challenging task given the structure of the internet wherein some domain name providers may be in another country while mail servers are in another. Thus, the best solution would be to take preventive measures to avoid them from happening in the first place. Like training the employees regarding BEC scams and making multi-level authentication and identification mechanism for payments.

References

Appendix

Domains registered with hr.kashifgroup@gmail[.]com, chai.mkopelmd@gmail[.]com, caywoodethanusarmy@gmail[.]com:
Phishing Domains Targeting ADNOC contact-adnocae[.]com adnoc-vendor[.]com bid-adnoc[.]com tender-adnoc[.]com tenders-adnoc[.]com contracts-adnoc[.]com contractors-adnoc[.]com registration-adnoc[.]com registrations-adnoc[.]com
Phishing Domains Targeting SNOC snocprojectae[.]com snocprojectuae[.]com snocproject-ae[.]com snoc-projectae[.]com snoc-projectuae[.]com contract-snoc[.]com ae-snocproject[.]com uae-snocproject[.]com ae-snoctenders[.]com uae-snoctenders[.]com
Phishing Domains Targeting ENOC bid-enoc[.]com biding-enoc[.]com bidders-enoc[.]com administrator-enoc[.]com registrations-enoc[.]com registration-ae-enoc[.]com proposal-enoc[.]com proposal-ae-enoc[.]com proposals-ae-enoc[.]com biddings-enoc[.]com consultant-enoc[.]com consultant-ae-enoc[.]com consultants-ae-enoc[.]com contractor-enoc[.]com vendor-enocbid[.]com
  Multiple industries being targeted:
Domains Registered using [email protected] Targeting Multiple Industries investinadio[.]com adio-gov[.]com salacomimmigration[.]com alfujairah-ae[.]com abbrossgeneralhospital[.]com gulfins-ae[.]com enacopetroleum[.]com safetravel-services[.]com hamraoilgroup[.]com alhmodzinoilfildservices[.]com rakpetrolae[.]com aiischools[.]com llhhospitals[.]com dahilalcapitalinvest[.]com duramtravelagency[.]com snocuae[.]com diligencefinconsultants[.]com emarataljabrisolicitors[.]com emsclikoil[.]com zbavitae[.]com rambolloil[.]com enocbids[.]com stabluk[.]com mohregov-ae[.]com harvesttravelagency[.]com dibfinancialservice-uae[.]com tenders-adio[.]com tenders-aisschools[.]com hpschooluae[.]com rfq-taziz[.]com ahaliahospitalae[.]com abienceinvestments-fze[.]com sheikhmouradoil[.]com qatarenergys[.]com kilimondoilgas-dubai[.]com camschooluae[.]com gulfmarineoilservices[.]com quickcitytravel[.]com globalhospae[.]com westernmedicalspecialisthosp[.]com bid-taqa[.]com adbntogo[.]com atenaeps[.]com dubaiferryae[.]com adnoc-vendor[.]com easternbaytravels[.]com siemenoilandgas[.]com fenczyflyemiratetravels[.]com nipmse[.]com builds-emaar[.]com specgulfae[.]com zirvaenergy[.]com eaglestravels-ae[.]com stalinschoolintlacademy[.]com nowmcopetroleum[.]com flywaytravelandtourism[.]com alzarafatravellsae[.]com gulfcoastoilngas-ae[.]com emspgenerahospae[.]com
  Websites associated with the Google Analytics ID, UA-6175655:
Other Phishing Domains Identified using the Same Google Analytics Id: UA-6175655 oceanicflyimmigration[.]com iconiqueimmigration[.]com arabianmigration[.]com abdul-sattar-abdul-tr[.]com alfayhaatravels[.]com flylinkimmigration[.]com horsespeedtravel[.]com toursolutions4u[.]com
    [caption id="attachment_21716" align="alignnone" width="1136"]One of the fake websites was flagged as a scam website Website using a mobile number that has been flagged as “Fake Recruiters”[/caption]     [caption id="attachment_21717" align="alignnone" width="708"]One of the fake websites’ phone numbers is blacklisted as a scam One of the fake websites’ phone numbers is blacklisted as a scam[/caption]   [caption id="attachment_21718" align="alignnone" width="414"]A scam email from one of the fake domain abienceinvestments-fze[.]com A scam email from one of the fake domain abienceinvestments-fze[.]com[/caption]  [caption id="attachment_21719" align="alignnone" width="1024"]Source Code of a malicious domain showing the use of HTTrack software Source Code of a malicious domain showing the use of HTTrack software[/caption] [caption id="attachment_21720" align="alignnone" width="703"]HTTrack software is used by the threat actor to keep clones of websites HTTrack software is used by the threat actor to keep clones of websites[/caption]   [caption id="attachment_21721" align="alignnone" width="729"]Directory listing enabled for duramtravels[.]com that contains documents from Alt Dubai on the server Directory listing enabled for duramtravels[.]com that contains documents from Alt Dubai on the server[/caption] 

Schedule a CloudSEK demo

At CloudSEK, we predict cyber threats.

Our solutions have relevant use cases for several industries including BFSI. At CloudSEK, we combine the power of Cyber Intelligence, Brand Monitoring, Attack Surface monitoring, Infrastructure Monitoring and Supply chain to give visibility and context to our customer's Initial Attack Vectors. Interested to know more? Let our CloudSEK experts give you a detailed walkthrough of our platform’s capabilities.

 

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations