Phishing Campaign “Soula” Steals Credentials from Visitors of Reputable Websites

  • Trend Micro has noticed a new watering hole phishing campaign that compromised high-ranking websites.
  • The malicious actors employed smart script settings that made their activity more believable and less suspicious.
  • Upon their discovery and report, the actors have changed to another server and added obfuscation to their script.

Trend Micro researchers have been following a new type of a phishing campaign that utilizes the watering hole technique to acquire login credentials from victims. Given the name “Soula”, this new campaign was found to target popular South Korean websites that are among the top 300 most visited in the country, and thus are considered especially trustworthy by their visitors. The infection of the websites is done through the injection of a JavaScript code that initiates a step-by-step exploitation process, leading to the tricking of the user into inputting their credentials in a fraudulent form.

The routine goes as follows. The victim visits the compromised website, and so the JavaScript code runs on their browser, loading the actual phishing script from the actors’ server. Depending on whether the victim is visiting the website using a mobile device or a laptop/PC, they are served with the corresponding version of the spoofed form. Should the victim get convinced by it, the entered credentials go directly to the attacker’s server. The script does not only identify the victim’s machine but also filters out bot crawlers and threat engine scanners, using header string checks.

Sokor-Phishing-01-768x615
image source: blog.trendmicro.com

Another way to prevent detection and suspicion from the website administrators is the methodical delivery of the phishing forms. The malicious script sets a browser cookie to the devices of the victims that were served with the fake forms, which sets an expiration period of 12 hours for the fake login. Moreover, the cookie is also counting the times the victim visits the compromised website and enables the pop-up that delivers the fake form only after the sixth visit. This is to trick the visitor into thinking that nothing weird is going on, as they will not be greeted with a login form right away but at a more believable point.

phishing_script
image source: blog.trendmicro.com

Trend Micro has managed to figure out that it was a Cloudflare domain that hosted the malicious server and contacted the network services company to remove it, which they did. However, that didn’t bruise the attackers, as they responded by moving to another compromised server and added heavier obfuscation to their JavaScript code. While the South Korean websites are not compromised anymore, Trend Micro researchers believe that this first stage was only a research and info-collecting phase for the cybercriminals. It is possible that “Soula” will grow bigger and stronger, entering the global exploitation scene soon.

What tools are you using for blocking malicious scripts and pop-ups? Share the details in the comments section below, and don’t forget that you can warn others by liking and sharing this story through our socials, on Facebook and Twitter.

REVIEW OVERVIEW

Latest

Is It Okay to Charge iPhone 13, Mini, Pro, or Pro Max Overnight?

Without any doubt, there are plenty of misconceptions about charging iOS devices. That’s even more true now since this year’s iPhones have the...

Is It Okay to Play Games While Charging iPhone 13? 

The iOS App Store offers more than one million games. Your options are practically limitless, with console-like games taking full advantage of iPhone 13’s...

Is It Bad to Use iPhone 13 While Charging? 

The latest iPhone generation comes with the longest battery life yet, managing to provide up to 2.5 extra hours of use. With that said,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari