Threat Research

Web Page Disguised as a Naver Login Page – ASEC BLOG

Securonix

ASEC reports that attackers are leveraging a Gnuboard 4-based site to host fake Kakao and Naver login pages aimed at credential theft. Attribution points to the Kimsuky group, noting deceptive links and autocompletion behavior designed to trap users. #Kimsuky #Gnuboard #Naver #Kakao

Keypoints

  • Fake login pages for Naver and Kakao are hosted on a Gnuboard 4-based website.
  • Phishing emails impersonating Naver Help accompany the fake login pages.
  • Autocompleting the login ID and capturing passwords leaks credentials to the attackers.
  • Most page links appear legitimate, with one forged page delivering service ads while others link to real pages.
  • The same domain has been reused to host both Kakao and Naver phishing pages.
  • The operation is attributed to the Kimsuky group, with evidence from reverse DNS and related files.
  • Users are advised not to login on unknown pages and to enable 2FA; site owners should update vulnerable software.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Link – The actor uses phishing emails to lure victims to fake login pages. “Emails impersonating Naver Help and web pages trying to steal account credentials through emails have been confirmed regularly for the past several years.”
  • [T1556.001] Credentials in Web Forms – The login form collects credentials to the attacker’s server. “The login ID is filled in automatically upon accessing the URL. If data is inputted into the password section, the account credentials get leaked to the threat actor’s server.”
  • [T1036] Masquerading – The page is disguised as a legitimate Naver login screen. “Web page disguised as a Naver login screen”
  • [T1583] Acquire Infrastructure – The threat actor uses a vulnerable website to create a domain to host the fake pages. “The threat actor used a vulnerable website to create a domain.” “The same domain being used to create not only a fake Kakao web page, but now also a fake Naver web page.”

Indicators of Compromise

  • [URL] phishing domain – accountskakao.bim-mgn[.]com, nid.bim-mgn[.]com, and wwwid.bim-mgn[.]com

Read more: https://asec.ahnlab.com/en/47530/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint