Security researchers have come across a waterholing campaign that has compromised four South Korean websites by injecting fake login forms to steal user credentials.
Making matters worse is one of the spoofed sites is one of South Korea’s most popular search engines.
The information collected from the fraudulent login screen is then sent to a collection server, even though it lacks accurate data information which leads Trend Micro to believe this is simply a research and development situation creating the environment for a larger scam.
The first compromised site was seen on March 14. The malware creates a profile of the visitor, loads the fake login screen then scans the HTTP referrer header string and checks if it contains keywords related to popular search engines and social media sites to authenticate that the visitor is real. It then identifies the device and operating system. The malware remains in the background and does not load the spoofed login form until the user has visited the compromised site six times, which it measures through a previously set cookie. It also used used Cloudflare to protect their domains and hide their real IP addresses.
Trend Micro believes the attackers are Chinese based on the language used in the code.
Corin Imai, senior security advisor at Domaintools, emailed SC Media UK to comment: "By spoofing popular search engine websites, attackers adopted a strategy aimed at maximising the number of potential victims. Unfortunately, it is very hard to prevent campaigns such as Soula, since users tend to have their guard down when visiting popular, reputable websites, and are more easily tricked into providing their credentials because the familiarity of the page creates a sense of security. The red flag that should raise users’ concerns, however, is the pop-up page triggered by attackers: any unsolicited, unusual login request should be treated with the most caution.
"As a form of protection to all credential stealing campaigns, users should enable two-factor authentication wherever possible, and adopt a multi-layered defence system that can help to filter out malicious URLs and pop-ups."
The original version of this article was published on SC Media US.