Advanced Phishing Scams Target Individuals & Businesses in the Middle East

Cybersecurity
#1

Originally published at: https://cloudsek.com/threatintelligence/advanced-phishing-scams-target-individuals-businesses-in-the-middle-east/

Category:

Adversary Intelligence

 Industry:

Multiple

 Motivation:

Financial

 Region:

Middle East

 Source*:

A1

Executive Summary

THREAT IMPACT MITIGATION
  • An ongoing phishing campaign is targeting various government as well as corporate entities in the Finance, Travel, Hospital, Legal, Oil and Gas, and Consultation industries.
  • Large-scale phishing campaigns may result in significant loss of customer data as well as inflict reputational and monetary damage on their victims.
  • Avoid downloading suspicious documents and clicking on suspicious links.
  • Enable the visibility of file extensions, use MFA (Multi-Factor Authentication) and an updated antivirus.

 

CloudSEK‘s contextual AI digital risk monitoring platform XVigil identified a suspicious domain that was sending phishing emails to the vendors of a real estate entity. A deep-dive analysis of the domain exposed a full-fledged campaign, where the threat actors were impersonating the Ministry of Human Resources of the UAE government. The actors created a fake website www.mohregov-ae[.]com that resembles the legitimate domain www[.]mohre[.]gov[.]ae, to defraud users.

Phishing website targeting Ministry of Human Resources, UAE
Phishing website targeting Ministry of Human Resources, UAE1189×679 296 KB
Phishing website targeting Ministry of Human Resources, UAE

 

Analysis and Attribution

The Phishing Campaign

  • CloudSEK’s investigation indicates that this is a large-scale phishing campaign targeted at individual job seekers and businesses, exposing them to 419 and BEC scams.
  • Upon observing the pattern of the email address used to register the domains, domain name, and hosting infrastructure, it can be inferred that a single threat actor or a threat actor group owns all these phishing domains and websites.

Information from the Malicious Domain

  • The WHOIS registration information for the domain mohregov-ae[.]com is linked to the following registrant information:
WHOIS Details
Name

Company

Address

City

State

Postal Code

Country

Email

Phone

 Mike James (44 Domains)

NA

Building a – Office 1309 -Zayed the First St

Abu Dhabi

Abu Dhabi

00000

United Arab Emirates

hr.kashifgroup@gmail[.]com

+971.556822973 (43 Domains)
WHOIS registrant information for mohregov-ae[.]comWHOIS registrant information for mohregov-ae[.]com
  • Upon further investigation of the email address hr.kashifgroup@gmail[.]com, our researchers discovered 43 domains that shared the same registrant information.
  • These domains were primarily being utilized for the following malicious activities:
    • To target immigrant workers looking for jobs in the Middle-East region
    • To target businesses under the theme of Business Email Compromise (BEC) scams
  • While domains that are presumably used to target job seekers, imparts a credible impression to first-time visitors, the domains potentially targeting businesses with BEC scams do not have a website and are most likely primarily used only to send emails.

Information from OSINT

  • During the course of our investigation into the fake domain, CloudSEK researchers discovered various other domains on the Open Source Internet (OSINT) that were reported on websites (such as stop419scams.com) as scams, targeting job seekers.
Post on stop419scams.com for scam website- alhasiminternationalschools[.]com
Post on stop419scams.com for scam website- alhasiminternationalschools[.]com884×278 43.4 KB
Post on stop419scams.com for scam website- alhasiminternationalschools[.]com
  • A WHOIS search revealed that the email ID hr.altubagroup@gmail.com was used to register the domain jboilandgas[.]com.
WHOIS Details
Name

Company

Address

City

State

Postal Code

Country

Email

Phone

 Albert Lot (31 domains)

NA (738,035 domains)

Hazza’ Bin Zayed the First Street

Abu Dhabi

Abu Dhabi

00000

United Arab Emirates (863,887 domains from United Arab Emirates for $250)

hr.altubagroup@gmail.com (31 domains)

+971.559286098
  • Investigating the above email address our researchers discovered 31 phishing domains leveraging similar tactics to target job seekers and businesses, deceiving them using 419 and BEC scams.
Phishing website- tenderadnoc[.]com redirecting users to legitimate website- taqa[.]com to avoid suspicion
Phishing website- tenderadnoc[.]com redirecting users to legitimate website- taqa[.]com to avoid suspicion1440×900 114 KB
Phishing website- tenderadnoc[.]com redirecting users to legitimate website- taqa[.]com to avoid suspicion
  • A WHOIS search revealed that the email id hr[.]hikmatgroup@gmail[.]com was used to register the domain firstcoastoffshoreservices[.]com.
WHOIS Details
Name

Company

Address

City

State

Postal Code

Country

Email

Phone

 hikmat Joe (46 domains)

NA (738,035 domains

King Khalid Bin Abdulaziz Saeed St

Abu Dhabi

Abu Dhabi

00000

United Arab Emirates (863,887 domains from United Arab Emirates for $250)

hr.hikmatgroup@gmail.com (46 domains)

+971.521515382
  • On further investigation of the above email address, our researcher discovered 46 phishing domains targeting similar entities.

List of all the Domains Discovered

Domains Discovered
Domains discovered upon investigating email address hr.kashifgroup@gmail[.]com.
  • bid-taqa[.]com
  • adbntogo[.]com
  • mohregov-ae[.]com
  • atenaeps[.]com
  • dubaiferryae[.]com
  • adnoc-vendor[.]com
  • easternbaytravels[.]com
  • siemenoilandgas[.]com
  • fenczyflyemiratetravels[.]com
  • nipmse[.]com
  • builds-emaar[.]com
  • stabluk[.]com
  • specgulfae[.]com
  • enocbids[.]com
  • globalhospae[.]com
  • rambolloil[.]com
  • zbavitae[.]com
  • emsclikoil[.]com
  • emarataljabrisolicitors[.]com
  • diligencefinconsultants[.]com
  • gulfcoastoilngas-ae[.]com
  • Emspgenerahospae[.]com
  • duramtravelagency[.]com
  • dahilalcapitalinvest[.]com
  • llhhospitals[.]com
  • aiischools[.]com
  • rakpetrolae[.]com
  • alhmodzinoilfildservices[.]com
  • hamraoilgroup[.]com
  • safetravel-services[.]com
  • enacopetroleum[.]com
  • gulfins-ae[.]com
  • abbrossgeneralhospital[.]com
  • alfujairah-ae[.]com
  • salacomimmigration[.]com
  • hpschooluae[.]com
  • zirvaenergy[.]com
  • eaglestravels-ae[.]com
  • stalinschoolintlacademy[.]com
  • nowmcopetroleum[.]com
  • flywaytravelandtourism[.]com
  • alzarafatravellsae[.]com
  • snocuae[.]com
Other domains on the Open Source Internet (OSINT) that were reported as scams, targeting job seekers.
  • hamzaroyaltravelandtours[.]com
  • alhasiminternationalschools[.]com
  • jboilandgas[.]com
  • firstcoastoffshoreservices[.]com
  • nowmcospetroleum[.]com
  • globalhospae[.]com
Domains discovered upon investigating email address hr.altubagroup@gmail.com.
  • contract-adnoc[.]com
  • world-airmaxitconsult[.]com
  • dubaiislbnk[.]com
  • bids-taqa[.]com
  • jboilandgas[.]com
  • safeairtravels[.]com
  • aero-gulfaviationservices[.]com
  • rakoffshore-ae[.]com
  • toursolution4[.]com
  • enoc-contractor[.]com
  • thumbayuniversityhospitae[.]com
  • akimandersonlaw[.]com
  • abh-center[.]com
  • tenderadnoc[.]com
  • siemensoilandgasae[.]com
  • kanadhospitalls[.]com
  • alifaritravels[.]com
  • enocbid[.]com
  • southwestgroupcorp[.]com
  • mechartesintl[.]com
  • mohe-ae[.]com
  • emiringenoilgc[.]com
  • rakspetroleum[.]com
  • alburjspecialisthospital[.]com
  • wienxyemiratetravels[.]com
  • alnahyangenhospital[.]com
  • hashabitravelagency-uae[.]com
  • edwardmorrisgreen[.]com
  • moorewellgroup[.]com
  • ssmcabudhabia-e[.]com
  • lodgersoilandgas[.]com
Domains discovered upon investigating email address hr.hikmatgroup@gmail.com.
  • nationhospitalae[.]com
  • ark-xchange[.]com
  • moha-pae[.]com
  • xpsmiddleeastoil[.]com
  • productpalacetrading[.]com
  • uenergyae[.]com
  • airconecttexpresdl[.]com
  • firstcoastoffshoreservices[.]com
  • alhasiminternationalschools[.]com
  • hamzaroyaltravelandtours[.]com
  • nare-exp[.]com
  • aibh-center[.]com
  • k-e-c-b[.]com
  • mfrmmsnonwoven[.]com
  • nationalinvestmentcorporation-ae[.]com
  • thunbayuniversityhospital[.]com
  • terramoollars[.]com
  • tendersadnoc[.]com
  • firstlawltd[.]com
  • gulfrussoffshore[.]com
  • transwayimmigrationservices[.]com
  • contract-enoc[.]com
  • tends-enoc[.]com
  • eldinoilngasgroup[.]com
  • starlingbluk[.]com
  • onalsoilfielduae[.]com
  • gulfspecialtyhospitaluae[.]com
  • astraszeneca[.]com
  • dhlexpressuae[.]com
  • molregove-ae[.]com
  • rakpetroluem[.]com
  • fastgulftravels[.]com
  • enoc-ae[.]com
  • ummluluoilgasae[.]com
  • spikeinvest-ug[.]com
  • abudhabimedicalcentre[.]com
  • bunapufic[.]com
  • mohres-uae[.]com
  • rexelenergyuae[.]com
  • arabtechoilfieldeng-ae[.]com
  • ocamoilandgasservices[.]com
  • rikairtravelandtour[.]com
  • luxdubaihotel[.]com
  • alhayathospitalae[.]com
  • Skylickmigrantagency[.]com
  • unitedschofbaniyas[.]com

Impact & Mitigation

Impact Mitigation
  • These phishing projects can be utilized by other threat actors to target specific users and steal their:
    • Passwords
    • Documents
    • Crypto wallets
    • Other sensitive information
  • Avoid downloading suspicious documents from unknown sources.
  • Avoid clicking on suspicious links.
  • Enable the visibility of file extensions, and be wary of downloading files with unknown file extensions.
  • Ensure the usage of MFA (Multi-Factor Authentication).
  • Use up-to-date antivirus and anomaly detection tools.

References

Appendix

Phishing website hxxp[://]siemenoilandgas[.]com targeting job seekers
Phishing website hxxp[://]siemenoilandgas[.]com targeting job seekers1440×900 175 KB
Phishing website hxxp[://]siemenoilandgas[.]com targeting job seekers
Phishing domain hxxp[://]adnoc-vendor[.]com targeting businesses with BEC scams
Phishing domain hxxp[://]adnoc-vendor[.]com targeting businesses with BEC scams1440×900 110 KB
Phishing domain hxxp[://]adnoc-vendor[.]com targeting businesses with BEC scams

 

#2

how to get the the CloudSEK XVigil SOC related cetificate