A phishing campaign discovered in July which has seen threat actors impersonating the UAE government’s Human Resources Department may be bigger than previously thought.
The findings come from security researchers at CloudSEK, who released a new threat advisory earlier today.
The tech write says the company has uncovered an additional group of phishing domains registered using similar naming schemes as in July to target contractors in the UAE with vendor registration, tenders and d other types of lures.
“Threat actors behind this campaign are strategically buying/registering domains with similar keywords to the victim domains and targeting multiple industries, such as travel and tourism, oil and gas, real estate and investment in Middle East,” the notice read. .
The company also warned that it had spotted several scams used to lure users.
“Besides registering vendors and bidding, they also use fake job offers and fake investment opportunities to deceive victims.”
Of all the domains brought to light by CloudSEKsome only had an email server enabled, while others had created websites to trick users into thinking they were legitimate businesses.
“Some fraudulent domains redirect to legitimate domains to trick victims into trusting phishing emails,” CloudSEK explained. “The campaign is resistant to takedowns or hosting bans because it uses pre-registered static web pages with similar templates. These are downloaded from one domain to another in the event of a ban.”
The company said it analyzed 35 phishing domains, 90% of which targeted Abu Dhabi National Oil Company (ADNOC), Sharjah National Oil Corporation (SNOC) and Emirates National Oil Company (ENOC) and are hosted in North America.
“This preference is due to the fact that there are several affordable providers in this region to choose from,” CloudSEK wrote. “Also, service providers take time to process withdrawal requests.”
From a technical perspective, the security firm said the cost-benefit ratio of a business email compromise (BEC) is high because there is no need for complex infrastructure as in the case of a malware campaign.
“A domain name with a mail server, and that of a third party, is sufficient to carry out these attacks.”
Prosecuting these attackers legally can hamper their operations, CloudSEK said, but it’s a difficult task given that some domain name providers may be in one country while mail servers are in another.
“So the best solution would be to take preventative measures to prevent them from happening in the first place. Like training employees on BEC scams and having multi-level authentication and identification mechanisms in place. for payments.”
CloudSEK advisory comes weeks after Abnormal discovered 92 malicious domains linked to the BEC Crimson Kingsnake group.