Waterholing campaign compromises four South Korean websites

News by Doug Olenick

Security researchers have come across a waterholing campaign that has compromised four South Korean websites by injecting fake login forms to steal user credentials.

Security researchers have come across a waterholing campaign that has compromised four South Korean websites by injecting fake login forms to steal user credentials.

Trend Micro described the campaign, which it named Soula, as a significant threat to enterprises and users and possibly the first step being taken by a cyber-criminal group to launch a bigger, worldwide campaign. What the research firm found was four websites that were injected with JavaScript, exactly how was not mentioned but possibly through unpatched vulnerabilities, which then would overlay a login form over the legitimate site.

Making matters worse is one of the spoofed sites is one of South Korea’s most popular search engines.

The information collected from the fraudulent login screen is then sent to a collection server, even though it lacks accurate data information which leads Trend Micro to believe this is simply a research and development situation creating the environment for a larger scam.

The first compromised site was seen on March 14. The malware creates a profile of the visitor, loads the fake login screen then scans the HTTP referrer header string and checks if it contains keywords related to popular search engines and social media sites to authenticate that the visitor is real. It then identifies the device and operating system. The malware remains in the background and does not load the spoofed login form until the user has visited the compromised site six times, which it measures through a previously set cookie. It also used used Cloudflare to protect their domains and hide their real IP addresses.

Trend Micro believes the attackers are Chinese based on the language used in the code.

The attackers are also actively improving the malware having added obfuscation to the JavaScript and moved the scripts to a new server after Trend Micro notified Cloudflare of the situation. However, the attack can still be defeated by having companies maintain their patch schedule and add features like 2FA whenever possible.

Corin Imai, senior security advisor at Domaintools, emailed SC Media UK to comment: "By spoofing popular search engine websites, attackers adopted a strategy aimed at maximising the number of potential victims. Unfortunately, it is very hard to prevent campaigns such as Soula, since users tend to have their guard down when visiting popular, reputable websites, and are more easily tricked into providing their credentials because the familiarity of the page creates a sense of security. The red flag that should raise users’ concerns, however, is the pop-up page triggered by attackers: any unsolicited, unusual login request should be treated with the most caution.

"As a form of protection to all credential stealing campaigns, users should enable two-factor authentication wherever possible, and adopt a multi-layered defence system that can help to filter out malicious URLs and pop-ups."

The original version of this article was published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop