Threat Actors Use Fake Sites for Espionage

Threat Actors Use Fake Sites for EspionageResearchers at Volexity report that the Vietnamese threat actor OceanLotus has been using phony news and bogus activist websites to track users, or to trick them into downloading malware. Notably, the websites were convincing enough that the researchers initially thought they were legitimate news sites that had been compromised by a threat actor. Additionally, most of the content on the sites was harmless, containing thousands of articles scraped from legitimate news outlets, with only certain articles containing malicious redirects.

“However, upon closer inspection of the websites, Volexity found the sites were not compromised, instead they were created and operated by OceanLotus,” the researchers write. “Each of the websites appears to have had a decent level of effort to build it, as there are numerous variations in themes, content, and even custom images and slogans. The websites all claim to be news sites and contain a great deal of benign content, with no malicious redirects or profiling in place on the vast majority of pages including the main index page. Instead, generally speaking, only a handful of specific articles within each site contain malicious content.”

The researchers believed users were directed to these malicious pages via links in spear phishing emails and social media messages. The sites also acted as watering holes, allowing the threat actor to collect information on users who were interested in certain topics and found the sites on their own.

The pages would collect information about visitors and, in some cases, attempt to trick the user into installing malware. For example, one of the pages used JavaScript to show a video player trying to load a news video before displaying an error. The user would then be told they needed to download Flash in order to play the video. If the user clicked the download button, they’d be infected with the Cobalt Strike hacking tool.

Interestingly, if the same page detected that the user was on a mobile device, it would instead inform them that they needed to sign in to confirm their age before viewing the video. If the user clicked the button to sign in, they’d be taken to a credential-harvesting page.

New-school security awareness training can help your employees maintain a healthy sense of suspicion even when they’re not expecting to be attacked.

Volexity has the story.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews