An ongoing phishing campaign is targeting the United Nations and several humanitarian aid organizations including UNICEF and UN World Food using landing pages impersonating legitimate Microsoft Office 365 login pages.

The campaign is actively launching attacks since March 2019 according to researchers at Lookout Phishing AI, with the two domains used to host the phishing toolkits and related content being associated with an IP network block and an ASN (Autonomous System Number) that were also used by threat actors to deliver malware in the past.

Among the other orgs targeted in this phishing campaign, the attackers attempted to steal user credentials from the United Nations Development Programme, the Heritage Foundation, the International Federation of the Red Cross and Red Crescent Societies, and the United States Institute of Peace.

The full list of humanitarian aid orgs currently under attack, the phishing URLs, and the SSL certificates used in this campaign are available in the table embedded at the end of the article.

Desktop phishing landing page

Mobile users also targeted

"Javascript code logic on the phishing pages detects if the page is being loaded on a mobile device and delivers mobile-specific content in that case," Lookout's researchers found.

Targeting mobile users is a well-known tactic used by phishers given that the mobile web browsers will help them obfuscate the phishing URLs by truncating them, thus making it a lot harder for their targets to discover that they are under attack.

Mobile landing phishing pages

The attackers also customized the pages shown after the victims 'successfully' log into their accounts using the fake Office 365 login forms for each of the targeted organizations to avoid raising suspicion.

As part of this attempt, depending on the parameters added to the phishing URL (i.e., &dl=dl or &dl=sv), the victims will be redirected to PDF or Google Docs resources after entering their logins as shown in the screenshots below.

As part of Bleeping Computer's tests while documenting these phishing attacks we discovered that the landing pages don't orient well in mobile mode and on desktop web browsers when their windows are not maximized.

Keylogger used to harvest credentials

Evidence of the attackers using a keylogger embedded on the landing pages to actively harvest their victims' keystrokes was also found by the Lookout researchers.

They discovered that "if a target doesn’t complete the login activity by pressing the login button or if they enter another, unintended password, this information is still sent back to the command and control infrastructure operated by the malicious actor."

Login form keylogger

As Bleeping Computer was able to confirm, when the victim releases the key, the keylogger sends the password to the cmdEncrypt function. It then combines the email address with the inputted password and uses the showHint function to send it off to the attacker's server.

Thus, if the email was john@doe.com and one of the targets entered 'asdasd' as the password, the keylogger would send 'john@doe.com,asdasd' to the server that collects all the logged keystroke info from the victims.

Exfiltrating logged keystrokes

SSL certificates used to 'secure' the landing pages

The attackers also use SSL certificates to further increase the illusion that their landing pages are legitimate Microsoft Office 365 login pages.

Out of all the certificates used so far in this campaign, the researchers found that only six of them are still valid until mid or late November, a possible clue pointing to the attacks that are still active.

"SSL certificates used by the phishing infrastructure had two main ranges of validity: May 5, 2019 to August 3, 2019, and June 5, 2019 to September 3, 2019," Lookout's research team adds.

"All major browsers will alert users about the use of expired SSL certificates. As these warnings are very clear (and in fact often hard to dismiss) it would be near impossible to entice a user to enter their login credentials on a site that uses an expired certificate," Lookout says.

"As a result, expired SSL certificates observed on some of the phishing sites can provide insight into the time period of the attack."

Target Organization URL Live SSL Certificate UN World Food Programme fs.auth.wfp.org.adfs.ls.client-request-id.session-services.com Valid until November 23 United Nations Development Programme logon.undp.org.adfs.ls.client-request-id.session-services.com Valid until November 18 United Nations sso.united.un.org.adfs.ls.clinet-request-id.session-services.com Valid until November 15 UNICEF login.unicef.org.adfs.ls.client-request-id.session-services.com Valid until November 16 Heritage Foundation heritage.onelogin.com.login.service-ssl-check.com Valid until November 18 International Federation of the Red Cross and Red Crescent Societies sts.ifrc.org.adfs.ls.client-request-id.session-services.com Valid until November 16 United States Institute of Peace login.microsoftonline.com.common.oauth2.ip.session-services.com Expired August 3 Concern Worldwide login.microsoftonline.com.common.oauth2.co.session-services.com Expired September 8 Humanity and Inclusion (French) login.microsoftonline.com.common.oauth2.hi.session-services.com Expired September 7 Social Science Research Council Sign-On Portal sso.ssrc.org.adfs.ls.client-request-id.63f91e15.service-ssl-check.com Expired September 3 UC San Diego login.microsoftonline.com.common.oauth2.uc.session-services.com Expired August 3 East-West Center eastwestcenter.org.owa.auth.logon.aspx.replacecurrent.service-ssl-check.com Expired September 3 Unknown/ Inaccessible login.microsoftonline.com.common.oauth2.br.session-services.com Expired August 3 Unknown/ Inaccessible login.microsoftonline.com.common.oauth2.client.us.service-ssl-check.com Expired September 3 Unknown/ Inaccessible login.microsoftonline.com.common.oauth2.client.al.service-ssl-check.com Expired September 3 Unknown/ Inaccessible login.microsoftonline.com.common.oauth2.client.hi.service-ssl-check.com Expired September 3 Yahoo (German) login.yahoo.com.manage-account.src-ym.lang-en-us.session-services.com Expired August 3 AOL (German) login.aol.com.account.challenge.oauth.session-services.com Expired August 3

After discovering this ongoing phishing campaign targeting humanitarian aid organizations, Lookout reached out to law enforcement as well as the targeted orgs, but as of the publication of this article, the attack is still active.