Phishing Scam Masquerading as Korean Portal Login Page

AhnLab SEcurity intelligence Center (ASEC) has recently identified the distribution of phishing files identical to Korean portal website login screens. Cases impersonating multiple Korean portal websites, logistics and shipping brands, and webmail login pages have been very common from the past.

* In the left/right comparison images used in this post, the left side shows the phishing page and the right side shows the normal page.

Figure 1. Phishing page (left) and normal Naver login page (right)
Figure 2. Phishing page (left) and normal Nate mail login page (right)

Figure 1 shows screenshots of the phishing page impersonating the Naver login page and the normal page, and Figure 2 shows the phishing HTML page distributed with the file name “doc003.shtml” and the normal Nate login page.

The phishing pages are almost indistinguishable from normal pages at first glance. Such similarity is due to the threat actor using the actual source code of the normal website to modify the address and method for sending ID and password, which allows them to steal the information entered by users. As shown in Figures 3 and 4 below, the ID of the phishing email recipient is already filled out, so users may unwittingly enter the password.

Figure 3. The code where the email value is filled out in the ID input field (Nate)
Figure 4. The code where the email value is filled out in the ID input field (Naver)

The threat actor also used NoCodeForm as a means to exfiltrate account credentials. NoCodeForm provides a method of transmitting the results sent in HTML format through the user’s email/Slack. When an account is created, a unique form-id is made. Using this form-id, one can receive the input values of an external user.

Figure 5. An overview of NoCodeForm

The threat actor changed the onsubmit event handler in the form tag of the normal website’s web source into the action property and utilized the NoCodeForm form-id as an address to deliver the exfiltrated account credentials. Internal tests revealed that the account credentials input by the user can be collected through the default form provided by NoCodeForm or email/Slack entered by the attacker (see Figure 6).

Figure 6. Result of the NoCodeForm test
Figure 7. NoCodeForm used for account credentials theft (Nate)
Figure 8. NoCodeForm used for account credentials theft (Naver)

In all phishing cases continuously being shared by ASEC, it is commonly recommended that users must not log in through attachments to emails from unknown sources. As shown in this case, the threat actor uses the actual source of normal websites, rendering the fake pages almost indistinguishable from the normal versions. Thus, users must not attempt to log in at all if the website is not accessed normally. If a login attempt was made, it is advised to change all related passwords immediately.

File Detection
Phishing/HTML.FakeLogin.SC199025 (2024.04.12.00)
Phishing/HTML.FakeLogin.SC199026 (2024.04.12.00)

IoC
[URLs]

hxxps://nocodeform[.]io/f/6612aaccf9a3a01ba8f6d979
hxxps://nocodeform[.]io/f/6605717e7bf0d35064f45348

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Phishing Case Under the Guise of Korean Portal Login Page appeared first on ASEC BLOG.