The campaign, labeled “Soula”, collects information via a spoofed login screen of one of the country’s leading search engines that pops up over the original webpage.
It sends the logged credentials to the attackers’ server even without accurate data confirmation, leading researchers to think that the cybercriminals are at research and information-gathering stage.
An initial JavaScript injection done on the compromised websites was just traced March 14th. The injected script profiles the website’s visitors and loads the phishing forms on top of the main pages. It scans the HTTP referer header string and checks if it contains keywords related to popular search engines and social media sites to authenticate that the visitor is real.
Since the HTTP referer identifies the address webpage of the source to the requested page, this check makes it easier to identify the visitor as a real user if the request comes from one, as well as filter out bot crawlers or threat engine scanners.
The script then scans for the HTTP User-Agent header for strings such as iPhone, iPad, iPod, iOS and Android to identify the device used by the user as desktop or mobile, which allows it to deliver the respective phishing forms to the victim. Mobile users will see the fake login form pop-up only after clicking any button on the compromised websites.
To mask the malicious routine, it only enables the pop-up to appear after the sixth time the victim visits the websites, setting a cookie to count the number of visits. The cookie is also set to expire after two hours since the last pop-up.
If the device has none of the strings listed, Soula assumes that the user is visiting the website using a desktop computer. Users will see the fake login form directly on top of the compromised webpage, asking the user to input their username and password before they can continue visiting the site. The user information is directly sent to the attackers’ servers.
To prevent attack suspicions from the website, the phishing script sets a browser cookie to the devices that received the phishing forms that enables the fake login to expire 12 hours after the initial interaction.
While this technique can be more difficult to trace compared to socially engineered Mobile phishing attacks, endpoint users can still protect themselves by enabling a multi-layered defense system that allows detection, scanning and blocking of malicious URLs and pop-ups. Users should also enable additional authentication measures such as 2FA whenever possible.
Security administrators are advised to download updates as soon as patches are available from legitimate vendors, and enable Content Security Policy to prevent unauthorized access and use of exploits for remotely injected scripts.
