Since March 2019, hackers have been targeting the United Nations (UN) and a number of affiliated humanitarian aid organizations such as UNICEF, the UN Development Programme, and the UN World Food Programme with a sophisticated, mobile-centric phishing campaign. The details of the phishing scam were reported by cyber security firm Lookout, which has reported the situation to the targeted organizations and to law enforcement. This phishing campaign is yet more evidence that hackers are becoming increasingly sophisticated in how they carry out phishing attacks. The current speculation is that the unknown hackers might use all user credentials gathered during these UN attacks for a later business email compromise (BEC) attack involving UN aid organizations.
Details of the UN phishing campaign
Phishing emails sent from legitimate UN email addresses instruct recipients to go to a fake Microsoft Office 365 login page, which is used to harvest login credentials from users. These login credentials are then sent back to servers controlled by the hackers, giving them an opportunity to carry out even more of these attacks. The fake Microsoft Office 365 login page resembled a real login page, so even if users might have had hesitation about logging in originally, the hackers did such a good job replicating a real page that any user would be lulled into a false sense of security. When viewing the login on the phishing site, they might never guess that it hosted malware
There’s a lot to unpack here, primarily because the cyber criminals took particular pains to make this phishing scam look as legitimate as possible. For example, all phishing emails came from legitimate UN email addresses. And the malware used to carry out the attack was capable of detecting what type of a device a user was accessing, so as to deliver either a mobile- or desktop-based experience. For example, the malware detects if the page is being viewed on mobile, and then delivers mobile-specific content.
According to the Lookout researchers, the clear preference was for users deploying mobile devices, because many mobile web browsers will truncate long URLs to fit on a tiny screen – this makes it much easier for hackers to use phony URLs that resemble real URLs. In the past, says Lookout, phishing attacks targeting the United Nations used the same URLs used in this attack, so obfuscating phishing URLs by truncating them was one way to evade a potential IP network block. In addition, says Lookout, the Google Safe Browsing database did not have any record of these URLs, so users would not be shown any type of warning or alert that they were browsing on an unsafe page.
In addition, this phishing attack utilized an advanced keylogging tool, such that users did not actually have to hit the “login” button for the keystrokes to be recorded. If users completed only part of the login process (such as entering only a password but not a username), it still was able to log keystrokes and return the information in the password field to the hackers’ servers. Moreover, the keylogging tool could also detect if a user entered one password and then replaced it with another, as might be the case if a user forgot the original password.
And, finally, the phishing campaign hackers went the extra step of including SSL certificates for the phishing login pages. The SLL certificates had a range of validities, with one validity range of May 5, 2019 to August 3, 2019 and another validity range of June 5, 2019 to September 3, 2019. There is another range of validities that is set to expire by the end of the year (but that is still valid). Thus, users who might check to see if a security certificate were present on the page as a tip-off that the page was either real or fake would also be lulled into a false sense of security.
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, comments on the cyber attacks: “These latest attacks targeting United Nations and global charity websites use TLS certificates to make malicious domains appear legitimate, and they take advantage of the implicit trust users have in the green padlock created by TLS certificates. Internet users have been trained to look for a green padlock when they visit websites, and bad actors are using SSL/TLS certificates to impersonate all kinds of organizations. This may appear sophisticated, but these kinds of phishing attacks are very common. For example, in 2017, security researchers uncovered over 15,000 certificates containing the word ‘PayPal’ that were being used in attacks. And in June, the FBI issued a warning stating that the green padlock on websites doesn’t mean the domain is trustworthy and safe from cyber criminals.”
Why the phishing campaign took place
A natural question to ask might be: Why would cyber attacks specifically search out humanitarian aid organizations, charities and the United Nations? It might make sense to target a huge multinational corporation, but going after an organization such as the U.S. Institute of Peace, the Heritage Foundation or the International Federation of the Red Cross and Red Crescent Societies would seem to make no sense at all, right? Even Lookout admits that the reason for carrying out the phishing campaign does not make a lot of sense on the surface.
However, one explanation for the phishing campaign might be that hackers were looking to hijack payments or carry out sophisticated BEC scams, in which emails from a legitimate email account are used to scam a victim into wiring funds into a third-party bank account controlled by the hackers. Since the UN and the other targeted organizations carry out massive, million-dollar relief programs, this might actually make a lot of sense.
Another, more insidious explanation for the phishing campaign, which has been live since March 2019, is that the hackers were working at the behest of a rogue nation-state. This nation-state, in turn, might be looking for details about pending UN investigations, or even worse, looking for names of whistleblowers that they can then track and harass in their home country. There might also be efforts to embarrass or harass top UN officials and their deputies as a result of the phishing attack.
Alexander García-Tobar, CEO and co-founder of Valimail, notes the growing sophistication of the hackers: “The latest phishing campaign targeting officials from the United Nations, UNICEF, Red Cross and other humanitarian aid organizations demonstrates how sophisticated and highly convincing phishing attacks have become. By using deviously coded phishing sites, hackers are attempting to steal login credentials and ultimately seek monetary gain or insider information.”
One major takeaway from this phishing campaign targeting organizations linked to the UN is that hackers are adopting a mobile-first mentality. This is a new twist on an old approach. As the Lookout researchers highlighted, this cyber attack had all the markings of a mobile-aware phishing campaign. We live in a “post-perimeter world,” says Lookout, in which the lines are blurring between personal networks and corporate networks, as well between the devices we use at home and the devices we use at work. Global cyber criminals are paying attention, and are fine-tuning their attacks to take this into account.