Several high profile international organisations, including the UN, have fallen victim to an extensive spear-phishing campaign.
Discovered by IT security company Lookout, researchers identified that attackers had created fake Office 365 login pages to dupe employees into entering their login details.
In the sophisticated campaign, attackers have the ability to “detect mobile devices and to log keystrokes directly as they are entered in the password field”, said Lookout. This means that even if the victim realised the page was not legitimate and did not complete the login process, attackers still had a record of the information entered.
Researchers have said that the campaign has been ongoing since March 2019, with some of the malicious pages still live. The origin of the attack, be it nation state or financially motivated hackers, is currently unknown.
UN phishing attack “could have serious geopolitical ramifications”
According to Bleeping Computer, the organisations affected are the United Nations Development Programme, the Heritage Foundation, the International Federation of the Red Cross and Red Crescent Societies, and the United States Institute of Peace.
International non-profit and intergovernmental organisations are increasingly becoming targets for cybersecurity attacks. Commenting on this, Corin Imai, senior security advisor at DomainTools explains that if an attacker got hold of any of the sensitive information these types of organisations hold, the implications could have global consequences:
“There can be few organisations on the planet with more to lose from a phishing attack than the United Nations. If a threat actor was successful in phishing an employee there, or at any of the other humanitarian organisations targeted, the data they potentially gained access to could have serious geopolitical ramifications, had it been stolen. Every organisation should take cybersecurity training seriously, but it is of exceptional importance that global governing bodies such as the UN provide rigorous training for employees.”
Lookout has highlighted that the “mobile-aware component” of the UN phishing attack campaign is evidence that this is an area that cybercriminals are increasingly targeting, and one that is often overlooked by organisations, especially those with ‘bring your own device’ policies.
Another element of the UN phishing attack was that attackers used SSL and TLS certificates to avoid alerting users, making the fake login pages appear legitimate.
Kevin Bocek, VP security strategy & threat intelligence at Venafi believes that the UN phishing attack demonstrates that a page with a TLS certificate should not be implicitly trusted:
“These latest attacks targeting United Nations and global charity websites use TLS certificates to make malicious domains appear legitimate, they take advantage of the implicit trust users have in the green padlock created by TLS certificates. Internet users have been trained to look for a green padlock when they visit websites, and bad actors are using SSL/TLS certificates to impersonate all kinds of organisations.
“This may appear sophisticated, but these kinds of phishing attacks are very common. For example, in 2017, security researchers uncovered over 15,000 certificates containing the word ‘PayPal’ that were being used in attacks. And in June, the FBI issued a warning stating that the green padlock on websites doesn’t mean the domain is trustworthy and safe from cyber criminals.”
He believes that organisations should do more to identify fraudulent certificates:
“In order to protect businesses and users, security teams must identify all the legitimate TLS certificates on their own networks. They also need to identify fraudulent certificates issued by attackers that are being used to impersonate their organisation. Technologies like certificate transparency and certificate reputation can definitely help, but as the number of certificates issued every day continues to skyrocket, more help is definitely needed.”