Cyberattackers have compromised a Pakistani Government website, allowing them to log the keystrokes of visitors entering sensitive information into a passport application site.
Using a reconnaissance tool known as Scanbox Frameware, the unknown attackers are able to “clearly see” the username and password that passport applicants use to monitor their application.
This then allows them to log into a passport application stored on the site and view all of the personal information entered, such as name, address and phone number.
The website, tracking.dgip.gov[.]pk, is a subdomain of the Directorate General of Immigration & Passport of the Pakistani government.
Infosecurity firm Trustwave first detected the breach on the government website on 2 March 2019, with the Chicago-based firm’s vice president of security research Ziv Mador telling Verdict that it appears to be a sophisticated group that is collecting details.
“So basically the attackers will be able now to log in as those users and get access to whatever information exists there,” explained Mador.
Trustwave says it knows “with certainty” that Scanbox collected information on “at least 70 unique site visitors” in one day alone.
Return of Scanbox
It has often been used in a watering hole attack, in which attackers use Scanbox to gather information for a future, more sophisticated attack tailored to individuals.
Sandbox also scans the victim’s computer for security products, so that it can stay ahead of cyber defences, as well as plugins.
“All that is very handy information for the next step, which is most likely develop some malware and exploit to infect that computer and install malware in a very stealthy way,” said Mador.
He added that it’s impossible to say with certainty what the exact motive of the attacker is, but the attack could be “politically motivated”.
That’s because of the type of data being collected – passport application data for people intending to leave or enter Pakistan.
“That might indicate what the attacker is after, perhaps they have someone in mind they want to get hold off – but here on it’s just speculation,” said Mador.
“It’s concerning that by compromising those websites they can get information about people who apply for a passport or people who plan to travel and from there they can build a plan to target them one way or another.”
The attackers can also scan a computer for VMware, a way to “easily” spot research computers.
The Scanbox server stopped responding after Trustwave embarked on a deeper investigation, perhaps because the attackers detected suspicious signs.
“Once again this indicates the sophistication of this group, the fact that they really want to stay stealthy.”
Pakistani passport site hack shows trend for targeting government websites
It follows a cyberattack on the Bangladesh embassy in Cairo website discovered by Trustwave last month, in which visitors were prompted to download a malicious document.
However, the attackers then were financially motivated, installing cryptomining software onto a victim’s device.
At the time, Mador told Verdict that the “sloppy” attack was perhaps the “testbed for something bigger”.
“Here, it’s very different,” he said, speaking of the Pakistani government website compromise. “It’s a stealthy attack, they are specifically looking for credentials of people, they collect information about their computer so they can take the next step in a stealthy way.
“They don’t try to install any financially driven malware like cryptominer or ransomware. The motive here is most likely very different.”
The only connecting theme is that they are both government websites, which “may indicate that even sensitive government sites are not properly protected”.
Trustwave said it made multiple attempts to inform the Pakistani government website, but received “basically no response”.
Trustwave was the only software able to detect the Pakistani passport website compromise.