Cyberattackers have compromised a Pakistani Government website, allowing them to log the keystrokes of visitors entering sensitive information into a passport application site.

Using a reconnaissance tool known as Scanbox Frameware, the unknown attackers are able to “clearly see” the username and password that passport applicants use to monitor their application.

This then allows them to log into a passport application stored on the site and view all of the personal information entered, such as name, address and phone number.

The website, tracking.dgip.gov[.]pk, is a subdomain of the Directorate General of Immigration & Passport of the Pakistani government.

Infosecurity firm Trustwave first detected the breach on the government website on 2 March 2019, with the Chicago-based firm’s vice president of security research Ziv Mador telling Verdict that it appears to be a sophisticated group that is collecting details.

“So basically the attackers will be able now to log in as those users and get access to whatever information exists there,” explained Mador.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Trustwave says it knows “with certainty” that Scanbox collected information on “at least 70 unique site visitors” in one day alone.

Return of Scanbox

Scanbox Framework was first mentioned in 2014 and has since been linked to several advanced hacking groups, such as Stone Panda and Lucky Mouse.

It has often been used in a watering hole attack, in which attackers use Scanbox to gather information for a future, more sophisticated attack tailored to individuals.

Sandbox also scans the victim’s computer for security products, so that it can stay ahead of cyber defences, as well as plugins.

“All that is very handy information for the next step, which is most likely develop some malware and exploit to infect that computer and install malware in a very stealthy way,” said Mador.

He added that it’s impossible to say with certainty what the exact motive of the attacker is, but the attack could be “politically motivated”.

That’s because of the type of data being collected – passport application data for people intending to leave or enter Pakistan.

“That might indicate what the attacker is after, perhaps they have someone in mind they want to get hold off – but here on it’s just speculation,” said Mador.

“It’s concerning that by compromising those websites they can get information about people who apply for a passport or people who plan to travel and from there they can build a plan to target them one way or another.”

Spotting researchers

The attackers can also scan a computer for VMware, a way to “easily” spot research computers.

The Scanbox server stopped responding after Trustwave embarked on a deeper investigation, perhaps because the attackers detected suspicious signs.

“Once again this indicates the sophistication of this group, the fact that they really want to stay stealthy.”

Pakistani government site — Location of victims. Credit: Trustwave

Pakistani passport site hack shows trend for targeting government websites

It follows a cyberattack on the Bangladesh embassy in Cairo website discovered by Trustwave last month, in which visitors were prompted to download a malicious document.

However, the attackers then were financially motivated, installing cryptomining software onto a victim’s device.

At the time, Mador told Verdict that the “sloppy” attack was perhaps the “testbed for something bigger”.

“Here, it’s very different,” he said, speaking of the Pakistani government website compromise. “It’s a stealthy attack, they are specifically looking for credentials of people, they collect information about their computer so they can take the next step in a stealthy way.

“They don’t try to install any financially driven malware like cryptominer or ransomware. The motive here is most likely very different.”

The only connecting theme is that they are both government websites, which “may indicate that even sensitive government sites are not properly protected”.

Trustwave said it made multiple attempts to inform the Pakistani government website, but received “basically no response”.

Trustwave was the only software able to detect the Pakistani passport website compromise.