Phishing Campaign Targeting the Saudi Government Service Portal, Absher

Multiple phishing domains impersonating Absher, the Saudi government service portal. Domains provide fake services to the citizens and steal their credentials.
Updated on
April 19, 2023
Published on
October 20, 2022
Subscribe to the latest industry news, threats and resources.
Category: Adversary Intelligence Industry: Government Region: Middle East Source*: A1

Executive Summary

  • Multiple phishing domains impersonating Absher, the Saudi government service portal.
  • Domains provide fake services to the citizens and steal their credentials.
  • Citizens' PII and banking credentials compromised.
  • Domain login credentials compromised.
  • Obtained OTP possibly used for MFA bypass
  • Identify and report domains impersonating an organization.
  • Avoid clicking on suspicious links.
  • Detect and block phishing domains.

Analysis and Attribution

  • CloudSEK’s contextual AI digital risk platform XVigil identified a phishing website a-absher-sd[.]com imitating the legitimate domain of the Saudi Government Portal, Absher.
  • Absher is an application and web portal developed by the Saudi Ministry of Interior and used by citizens and residents of Saudi Arabia to access various government services such as applying for jobs and Hajj permits, updating passport information, reporting electronic crimes, etc.
[caption id="attachment_21204" align="alignnone" width="1352"]Phishing domain a-absher-sd[.]com Phishing domain a-absher-sd[.]com[/caption] 

Modus Operandi

  • The threat actors are targeting individuals by sending an SMS, along with a link, urging people to update their information on the Absher Portal.
  • The phishing website presents users with a fake login portal, compromising the login credentials.
  • After the “login”, a popup appears prompting a 4-digit OTP sent to the registered mobile number, possibly being used to bypass multifactor authentication on the legitimate Absher Portal.
  • Any 4-digit number is accepted as an OTP without verification and the victim successfully logs in to the fake portal.
  • The user is then asked to fill in a “registration” form, divulging sensitive PII.
  • Once the registration is completed, the user is redirected to a new page where they are prompted to choose a bank and are directed to a fake bank login portal.
  • After submitting the internet banking login details a loading icon pops up and the page gets stuck, while the user banking credentials have already been compromised. (For more information refer to the Appendix section)

Information from OSINT

  • Government services in the Saudi region have been a prime target for cybercriminals to compromise user credentials and use them to conduct further cyberattacks.
  • Multiple phishing domains have been registered to gain the PII of individuals in Saudi Arabia.
  • A deep-dive analysis of the fake domain (a-absher-sd[.]com) exposed a full-fledged campaign, where the threat actors were impersonating the Saudi Ministry of Interior.
  • Multiple phishing domains were found to be operating on the same server with IP address
  • During the period of this analysis, the websites were observed to go inactive after being active for a few days.
  • The table below contains the full list of fake domains uncovered as a part of the investigation.
Fake Domain Date of Creation
pnu-sd[.]com 25 July 2022
ad-sds-tra[.]com 21 September 2022
sd-tra-s[.]com 19 September 2022
saudi-sds[.]com 18 September 2022
ab-absher[.]com 22 May 2022
a-absher-sds-sd[.]com 19 September 2022
drivin-sds[.]com 13 September 2022
a-absher-sd[.]com 31 August 2022
s-sds-absher-sd[.]com 10 September 2022
sd-sds-absher-sa[.]com 09 September 2022
sds-sd-absher-sa[.]com 08 September 2022
asd-absher[.]com 07 September 2022
drivings-ds[.]com 06 September 2022
drivings-sds[.]com 05 September 2022
school-ads-sa[.]com 01 September 2022
sds-registers[.]com 21 August 2022
sds-tra-s[.]com 17 August 2022
sds-absher-s[.]com 17 August 2022
sd-tra-a[.]com 16 August 2022
sd-absher-a[.]com 16 August 2022

Impact and Mitigation

Impact Mitigation
  • Compromised banking credentials and PII information could lead to targeted scams against the victims, financial loss, etc.
  • Compromised domain login credentials can lead to account takeovers.
  • Obtained OTP possibly used to bypass multifactor authentication.
  • Government organizations should monitor phishing campaigns targeting citizens.
  • Awareness campaigns should be conducted to inform and educate citizens.
  • Avoid clicking on suspicious links.



[caption id="attachment_21205" align="alignnone" width="705"]Snippet of an article by warning people about the phishing SMS Snippet of an article by warning people about the phishing SMS[/caption]   [caption id="attachment_21207" align="alignnone" width="1365"]Fake Absher portal login page Fake Absher portal login page[/caption] [caption id="attachment_21208" align="alignnone" width="1365"]Victims required to divulge PII details Victims required to divulge PII details[/caption]   [caption id="attachment_21209" align="alignnone" width="1365"]Victim prompted to select a bank account Victim prompted to select a bank account[/caption]   [caption id="attachment_21210" align="alignnone" width="1365"]Fake bank portal login page Fake bank portal login page[/caption]    

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations