Advanced Phishing Scams Target Individuals & Businesses in the Middle East

Summary

XVigil identified a suspicious domain that was sending phishing emails to the vendors of a real estate entity. A deep-dive analysis of the domain exposed a full-fledged campaign, where the threat actors were impersonating the Ministry of Human Resources of the UAE government.
Category: Adversary Intelligence Industry: Multiple Motivation: Financial Region: Middle East Source*: A1

Executive Summary

THREAT IMPACT MITIGATION
  • An ongoing phishing campaign is targeting various government as well as corporate entities in the Finance, Travel, Hospital, Legal, Oil and Gas, and Consultation industries.
  • Large-scale phishing campaigns may result in significant loss of customer data as well as inflict reputational and monetary damage on their victims.
  • Avoid downloading suspicious documents and clicking on suspicious links.
  • Enable the visibility of file extensions, use MFA (Multi-Factor Authentication) and an updated antivirus.
  CloudSEK's contextual AI digital risk monitoring platform XVigil identified a suspicious domain that was sending phishing emails to the vendors of a real estate entity. A deep-dive analysis of the domain exposed a full-fledged campaign, where the threat actors were impersonating the Ministry of Human Resources of the UAE government. The actors created a fake website www.mohregov-ae[.]com that resembles the legitimate domain www[.]mohre[.]gov[.]ae, to defraud users.
Phishing website targeting Ministry of Human Resources, UAE
Phishing website targeting Ministry of Human Resources, UAE
 

Analysis and Attribution

The Phishing Campaign

  • CloudSEK’s investigation indicates that this is a large-scale phishing campaign targeted at individual job seekers and businesses, exposing them to 419 and BEC scams.
  • Upon observing the pattern of the email address used to register the domains, domain name, and hosting infrastructure, it can be inferred that a single threat actor or a threat actor group owns all these phishing domains and websites.

Information from the Malicious Domain

  • The WHOIS registration information for the domain mohregov-ae[.]com is linked to the following registrant information:
WHOIS Details
Name Company Address City State Postal Code Country Email Phone Mike James (44 Domains) NA Building a – Office 1309 -Zayed the First St Abu Dhabi Abu Dhabi 00000 United Arab Emirates [email protected][.]com +971.556822973 (43 Domains)
WHOIS registrant information for mohregov-ae[.]com
WHOIS registrant information for mohregov-ae[.]com
 
  • Upon further investigation of the email address [email protected][.]com, our researchers discovered 43 domains that shared the same registrant information.
  • These domains were primarily being utilized for the following malicious activities:
    • To target immigrant workers looking for jobs in the Middle-East region
    • To target businesses under the theme of Business Email Compromise (BEC) scams
  • While domains that are presumably used to target job seekers, imparts a credible impression to first-time visitors, the domains potentially targeting businesses with BEC scams do not have a website and are most likely primarily used only to send emails.

Information from OSINT

  • During the course of our investigation into the fake domain, CloudSEK researchers discovered various other domains on the Open Source Internet (OSINT) that were reported on websites (such as stop419scams.com) as scams, targeting job seekers.
Post on stop419scams.com for scam website- alhasiminternationalschools[.]com
Post on stop419scams.com for scam website- alhasiminternationalschools[.]com
 
  • A WHOIS search revealed that the email ID [email protected] was used to register the domain jboilandgas[.]com.
WHOIS Details
Name Company Address City State Postal Code Country Email Phone Albert Lot (31 domains) NA (738,035 domains) Hazza' Bin Zayed the First Street Abu Dhabi Abu Dhabi 00000 United Arab Emirates (863,887 domains from United Arab Emirates for $250) [email protected] (31 domains) +971.559286098
  • Investigating the above email address our researchers discovered 31 phishing domains leveraging similar tactics to target job seekers and businesses, deceiving them using 419 and BEC scams.
Phishing website- tenderadnoc[.]com redirecting users to legitimate website- taqa[.]com to avoid suspicion
Phishing website- tenderadnoc[.]com redirecting users to legitimate website- taqa[.]com to avoid suspicion
 
  • A WHOIS search revealed that the email id hr[.][email protected][.]com was used to register the domain firstcoastoffshoreservices[.]com.
WHOIS Details
Name Company Address City State Postal Code Country Email Phone hikmat Joe (46 domains) NA (738,035 domains King Khalid Bin Abdulaziz Saeed St Abu Dhabi Abu Dhabi 00000 United Arab Emirates (863,887 domains from United Arab Emirates for $250) [email protected] (46 domains) +971.521515382
  • On further investigation of the above email address, our researcher discovered 46 phishing domains targeting similar entities.

List of all the Domains Discovered

Domains Discovered
Domains discovered upon investigating email address [email protected][.]com.
  • bid-taqa[.]com
  • adbntogo[.]com
  • mohregov-ae[.]com
  • atenaeps[.]com
  • dubaiferryae[.]com
  • adnoc-vendor[.]com
  • easternbaytravels[.]com
  • siemenoilandgas[.]com
  • fenczyflyemiratetravels[.]com
  • nipmse[.]com
  • builds-emaar[.]com
  • stabluk[.]com
  • specgulfae[.]com
  • enocbids[.]com
  • globalhospae[.]com
  • rambolloil[.]com
  • zbavitae[.]com
  • emsclikoil[.]com
  • emarataljabrisolicitors[.]com
  • diligencefinconsultants[.]com
  • gulfcoastoilngas-ae[.]com
  • Emspgenerahospae[.]com
  • duramtravelagency[.]com
  • dahilalcapitalinvest[.]com
  • llhhospitals[.]com
  • aiischools[.]com
  • rakpetrolae[.]com
  • alhmodzinoilfildservices[.]com
  • hamraoilgroup[.]com
  • safetravel-services[.]com
  • enacopetroleum[.]com
  • gulfins-ae[.]com
  • abbrossgeneralhospital[.]com
  • alfujairah-ae[.]com
  • salacomimmigration[.]com
  • hpschooluae[.]com
  • zirvaenergy[.]com
  • eaglestravels-ae[.]com
  • stalinschoolintlacademy[.]com
  • nowmcopetroleum[.]com
  • flywaytravelandtourism[.]com
  • alzarafatravellsae[.]com
  • snocuae[.]com
Other domains on the Open Source Internet (OSINT) that were reported as scams, targeting job seekers.
  • hamzaroyaltravelandtours[.]com
  • alhasiminternationalschools[.]com
  • jboilandgas[.]com
  • firstcoastoffshoreservices[.]com
  • nowmcospetroleum[.]com
  • globalhospae[.]com
Domains discovered upon investigating email address [email protected]
  • contract-adnoc[.]com
  • world-airmaxitconsult[.]com
  • dubaiislbnk[.]com
  • bids-taqa[.]com
  • jboilandgas[.]com
  • safeairtravels[.]com
  • aero-gulfaviationservices[.]com
  • rakoffshore-ae[.]com
  • toursolution4[.]com
  • enoc-contractor[.]com
  • thumbayuniversityhospitae[.]com
  • akimandersonlaw[.]com
  • abh-center[.]com
  • tenderadnoc[.]com
  • siemensoilandgasae[.]com
  • kanadhospitalls[.]com
  • alifaritravels[.]com
  • enocbid[.]com
  • southwestgroupcorp[.]com
  • mechartesintl[.]com
  • mohe-ae[.]com
  • emiringenoilgc[.]com
  • rakspetroleum[.]com
  • alburjspecialisthospital[.]com
  • wienxyemiratetravels[.]com
  • alnahyangenhospital[.]com
  • hashabitravelagency-uae[.]com
  • edwardmorrisgreen[.]com
  • moorewellgroup[.]com
  • ssmcabudhabia-e[.]com
  • lodgersoilandgas[.]com
Domains discovered upon investigating email address [email protected]
  • nationhospitalae[.]com
  • ark-xchange[.]com
  • moha-pae[.]com
  • xpsmiddleeastoil[.]com
  • productpalacetrading[.]com
  • uenergyae[.]com
  • airconecttexpresdl[.]com
  • firstcoastoffshoreservices[.]com
  • alhasiminternationalschools[.]com
  • hamzaroyaltravelandtours[.]com
  • nare-exp[.]com
  • aibh-center[.]com
  • k-e-c-b[.]com
  • mfrmmsnonwoven[.]com
  • nationalinvestmentcorporation-ae[.]com
  • thunbayuniversityhospital[.]com
  • terramoollars[.]com
  • tendersadnoc[.]com
  • firstlawltd[.]com
  • gulfrussoffshore[.]com
  • transwayimmigrationservices[.]com
  • contract-enoc[.]com
  • tends-enoc[.]com
  • eldinoilngasgroup[.]com
  • starlingbluk[.]com
  • onalsoilfielduae[.]com
  • gulfspecialtyhospitaluae[.]com
  • astraszeneca[.]com
  • dhlexpressuae[.]com
  • molregove-ae[.]com
  • rakpetroluem[.]com
  • fastgulftravels[.]com
  • enoc-ae[.]com
  • ummluluoilgasae[.]com
  • spikeinvest-ug[.]com
  • abudhabimedicalcentre[.]com
  • bunapufic[.]com
  • mohres-uae[.]com
  • rexelenergyuae[.]com
  • arabtechoilfieldeng-ae[.]com
  • ocamoilandgasservices[.]com
  • rikairtravelandtour[.]com
  • luxdubaihotel[.]com
  • alhayathospitalae[.]com
  • Skylickmigrantagency[.]com
  • unitedschofbaniyas[.]com

Impact & Mitigation

Impact Mitigation
  • These phishing projects can be utilized by other threat actors to target specific users and steal their:
    • Passwords
    • Documents
    • Crypto wallets
    • Other sensitive information
  • Avoid downloading suspicious documents from unknown sources.
  • Avoid clicking on suspicious links.
  • Enable the visibility of file extensions, and be wary of downloading files with unknown file extensions.
  • Ensure the usage of MFA (Multi-Factor Authentication).
  • Use up-to-date antivirus and anomaly detection tools.

References

Appendix

Phishing website hxxp[://]siemenoilandgas[.]com targeting job seekers
Phishing website hxxp[://]siemenoilandgas[.]com targeting job seekers
 
Phishing domain hxxp[://]adnoc-vendor[.]com targeting businesses with BEC scams
Phishing domain hxxp[://]adnoc-vendor[.]com targeting businesses with BEC scams
   

Table of Contents

Request an easy and customized demo for free