A phishing campaign discovered in July that saw threat actors impersonating the Ministry of Human Resources of the UAE government may be more significant in scale than previously believed.
The findings come from security researchers at CloudSEK, who published a new advisory about the threat earlier today.
The technical write-up says the company has discovered an additional cluster of phishing domains registered using similar naming schemes to the July ones to target contractors in the UAE with vendor registration, contract bidding and other types of lures.
“The threat actors behind this campaign are strategically buying/registering domains with keywords similar to the victim domains and are targeting multiple industries, such as travel and tourism, oil & gas, real estate, and investment across the Middle East,” the advisory reads.
The company also warned that it spotted several scams being used to lure users.
“Apart from vendor registration and contract bidding, they also use fake job offers and investment opportunities to hoodwink victims.”
Of all the domains unearthed by CloudSEK, some only had an email server enabled, while others had set up websites to trick the users into thinking they were legitimate businesses.
“Some scam domains redirect to legitimate domains to trick victims into trusting the phishing emails,” CloudSEK explained. “The campaign is resilient to takedowns or hosting bans as it uses pre-stored static web pages with similar templates. These are uploaded from one domain to another in case of a ban.”
The company said it analyzed 35 phishing domains, of which 90% were targeting Abu Dhabi National Oil Company (ADNOC), Sharjah National Oil Corporation (SNOC) and Emirates National Oil Company (ENOC) and are hosted in North America.
“This preference is because there are several affordable providers in that region to choose from,” CloudSEK wrote. “Moreover, the service providers take time to process takedown requests.”
From a technical standpoint, the security company said the cost-to-benefit ratio of a business email compromise (BEC) is high as there is no need for a complex infrastructure like in the case of a malware campaign.
“A domain name with an email server, and that from a third party, is sufficient to conduct these attacks.”
Pursuing these attackers legally can obstruct their operations, CloudSEK said, but this is a challenging task considering that some domain name providers may be in one country while mail servers are in another.
“Thus, the best solution would be to take preventive measures to avoid them from happening in the first place. Like training the employees regarding BEC scams and making multi-level authentication and identification mechanisms for payments.”
The CloudSEK advisory comes weeks after Abnormal discovered 92 malicious domains linked with the BEC group Crimson Kingsnake.