A South Korean platform, Naver, gets abused for phishing campaigns

South Korea Search Engine Platform Naver Phishing Campaigns DNS Exploit Trickbot

One of South Korea’s most popular online platforms, Naver, has observed a broad phishing activity related to the TrickBot botnet, aiming to steal victims’ credentials using hundreds of malicious domains. The South Korean online platform operates like Google, wherein users can do a web search, create an email, browse the latest news, and more.


A recent report from cybersecurity researchers reveals a massive phishing campaign against Naver that targeted the sensitive credentials of millions of its South Korean users.


Experts began investigating the issue from a single domain shared by a separate researcher, which showed a wide phishing operation that aims to harvest Naver users’ valid login credentials. As the investigation progresses, experts found the usage of the hosting domain serving the Naver-themed phishing sites and have identified overlaps linking to the TrickBot botnet.

Over 500 unique malicious domains were connected to the massive phishing campaign, with its operator using one email address in registering a set of domain names fixed to one IP address. Moreover, the operators also created numerous addresses to set up different fake accounts in the operation.

Based on the investigation, the set of domains leveraging a single IP address is a part of a redirect scheme called HTTP/302, which redirects victims to spoofed login pages within the platform being hosted on Hostinger.

The initial email address has led the analysts to a new set of 58 phishing domains resolved in an IP address, 23.81.246[.]131, which proves critical in establishing a connection between the Naver phishing campaign and TrickBot’s infrastructure.

Furthermore, the analysts have found Cobalt Strike beacon samples, another part of the campaign, linked with the IP address 23.81.246[.]131 that abused the vulnerability CVE-2021-40444, aiming to spread the Conti ransomware.

For the researchers, it seems that the phishing activity happening on Naver will continue as long as the TrickBot infrastructure is being actively used. Many malicious domains have been registered in March alone for the campaign.

About the author

Leave a Reply