Phishing Campaign Targeting the Saudi Government Service Portal, Absher

Summary

Multiple phishing domains impersonating Absher, the Saudi government service portal. Domains provide fake services to the citizens and steal their credentials.
 
Category: Adversary Intelligence Industry: Government Region: Middle East Source*: A1

Executive Summary

THREAT IMPACT MITIGATION
  • Multiple phishing domains impersonating Absher, the Saudi government service portal.
  • Domains provide fake services to the citizens and steal their credentials.
  • Citizens' PII and banking credentials compromised.
  • Domain login credentials compromised.
  • Obtained OTP possibly used for MFA bypass
  • Identify and report domains impersonating an organization.
  • Avoid clicking on suspicious links.
  • Detect and block phishing domains.

Analysis and Attribution

  • CloudSEK’s contextual AI digital risk platform XVigil identified a phishing website a-absher-sd[.]com imitating the legitimate domain of the Saudi Government Portal, Absher.
  • Absher is an application and web portal developed by the Saudi Ministry of Interior and used by citizens and residents of Saudi Arabia to access various government services such as applying for jobs and Hajj permits, updating passport information, reporting electronic crimes, etc.
Phishing domain a-absher-sd[.]com
Phishing domain a-absher-sd[.]com
 

Modus Operandi

  • The threat actors are targeting individuals by sending an SMS, along with a link, urging people to update their information on the Absher Portal.
  • The phishing website presents users with a fake login portal, compromising the login credentials.
  • After the “login”, a popup appears prompting a 4-digit OTP sent to the registered mobile number, possibly being used to bypass multifactor authentication on the legitimate Absher Portal.
  • Any 4-digit number is accepted as an OTP without verification and the victim successfully logs in to the fake portal.
  • The user is then asked to fill in a “registration” form, divulging sensitive PII.
  • Once the registration is completed, the user is redirected to a new page where they are prompted to choose a bank and are directed to a fake bank login portal.
  • After submitting the internet banking login details a loading icon pops up and the page gets stuck, while the user banking credentials have already been compromised. (For more information refer to the Appendix section)

Information from OSINT

  • Government services in the Saudi region have been a prime target for cybercriminals to compromise user credentials and use them to conduct further cyberattacks.
  • Multiple phishing domains have been registered to gain the PII of individuals in Saudi Arabia.
  • A deep-dive analysis of the fake domain (a-absher-sd[.]com) exposed a full-fledged campaign, where the threat actors were impersonating the Saudi Ministry of Interior.
  • Multiple phishing domains were found to be operating on the same server with IP address 167.235.248.127.
  • During the period of this analysis, the websites were observed to go inactive after being active for a few days.
  • The table below contains the full list of fake domains uncovered as a part of the investigation.
Fake Domain Date of Creation
pnu-sd[.]com 25 July 2022
ad-sds-tra[.]com 21 September 2022
sd-tra-s[.]com 19 September 2022
saudi-sds[.]com 18 September 2022
ab-absher[.]com 22 May 2022
a-absher-sds-sd[.]com 19 September 2022
drivin-sds[.]com 13 September 2022
a-absher-sd[.]com 31 August 2022
s-sds-absher-sd[.]com 10 September 2022
sd-sds-absher-sa[.]com 09 September 2022
sds-sd-absher-sa[.]com 08 September 2022
asd-absher[.]com 07 September 2022
drivings-ds[.]com 06 September 2022
drivings-sds[.]com 05 September 2022
school-ads-sa[.]com 01 September 2022
sds-registers[.]com 21 August 2022
sds-tra-s[.]com 17 August 2022
sds-absher-s[.]com 17 August 2022
sd-tra-a[.]com 16 August 2022
sd-absher-a[.]com 16 August 2022

Impact and Mitigation

Impact Mitigation
  • Compromised banking credentials and PII information could lead to targeted scams against the victims, financial loss, etc.
  • Compromised domain login credentials can lead to account takeovers.
  • Obtained OTP possibly used to bypass multifactor authentication.
  • Government organizations should monitor phishing campaigns targeting citizens.
  • Awareness campaigns should be conducted to inform and educate citizens.
  • Avoid clicking on suspicious links.

References

Appendix

Snippet of an article by urdunews.com warning people about the phishing SMS
Snippet of an article by urdunews.com warning people about the phishing SMS
 
Fake Absher portal login page
Fake Absher portal login page
Victims required to divulge PII details
Victims required to divulge PII details
 
Victim prompted to select a bank account
Victim prompted to select a bank account
 
Fake bank portal login page
Fake bank portal login page
   

Table of Contents

Request an easy and customized demo for free