Phishing Campaign “Soula” Steals Credentials from Visitors of Reputable Websites

  • Trend Micro has noticed a new watering hole phishing campaign that compromised high-ranking websites.
  • The malicious actors employed smart script settings that made their activity more believable and less suspicious.
  • Upon their discovery and report, the actors have changed to another server and added obfuscation to their script.

Trend Micro researchers have been following a new type of a phishing campaign that utilizes the watering hole technique to acquire login credentials from victims. Given the name “Soula”, this new campaign was found to target popular South Korean websites that are among the top 300 most visited in the country, and thus are considered especially trustworthy by their visitors. The infection of the websites is done through the injection of a JavaScript code that initiates a step-by-step exploitation process, leading to the tricking of the user into inputting their credentials in a fraudulent form.

The routine goes as follows. The victim visits the compromised website, and so the JavaScript code runs on their browser, loading the actual phishing script from the actors’ server. Depending on whether the victim is visiting the website using a mobile device or a laptop/PC, they are served with the corresponding version of the spoofed form. Should the victim get convinced by it, the entered credentials go directly to the attacker’s server. The script does not only identify the victim’s machine but also filters out bot crawlers and threat engine scanners, using header string checks.

Sokor-Phishing-01-768x615
image source: blog.trendmicro.com

Another way to prevent detection and suspicion from the website administrators is the methodical delivery of the phishing forms. The malicious script sets a browser cookie to the devices of the victims that were served with the fake forms, which sets an expiration period of 12 hours for the fake login. Moreover, the cookie is also counting the times the victim visits the compromised website and enables the pop-up that delivers the fake form only after the sixth visit. This is to trick the visitor into thinking that nothing weird is going on, as they will not be greeted with a login form right away but at a more believable point.

phishing_script
image source: blog.trendmicro.com

Trend Micro has managed to figure out that it was a Cloudflare domain that hosted the malicious server and contacted the network services company to remove it, which they did. However, that didn’t bruise the attackers, as they responded by moving to another compromised server and added heavier obfuscation to their JavaScript code. While the South Korean websites are not compromised anymore, Trend Micro researchers believe that this first stage was only a research and info-collecting phase for the cybercriminals. It is possible that “Soula” will grow bigger and stronger, entering the global exploitation scene soon.

What tools are you using for blocking malicious scripts and pop-ups? Share the details in the comments section below, and don’t forget that you can warn others by liking and sharing this story through our socials, on Facebook and Twitter.

Latest
How to Watch World Cup 2022 Online: Live Stream Soccer Matches for Free from Anywhere
: The quarterfinals of the 2022 FIFA World Cup are set to get underway this evening with two very exciting matches in...
How to Watch Heartland Season 16 Online From Anywhere
One of the most popular drama series among horse lovers is here with a new season, and we can't wait to watch...
How to Watch Yellowstone Season 5 Online From Anywhere
Fans of Yellowstone are in for a treat as the Duttons are returning for a brand new season - so get ready...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari