Advanced Phishing Scams Target Individuals & Businesses in the Middle East

XVigil identified a suspicious domain that was sending phishing emails to the vendors of a real estate entity. A deep-dive analysis of the domain exposed a full-fledged campaign, where the threat actors were impersonating the Ministry of Human Resources of the UAE government.
Updated on
April 19, 2023
Published on
July 4, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Category: Adversary Intelligence Industry: Multiple Motivation: Financial Region: Middle East Source*: A1

Executive Summary

THREAT IMPACT MITIGATION
  • An ongoing phishing campaign is targeting various government as well as corporate entities in the Finance, Travel, Hospital, Legal, Oil and Gas, and Consultation industries.
  • Large-scale phishing campaigns may result in significant loss of customer data as well as inflict reputational and monetary damage on their victims.
  • Avoid downloading suspicious documents and clicking on suspicious links.
  • Enable the visibility of file extensions, use MFA (Multi-Factor Authentication) and an updated antivirus.
  CloudSEK's contextual AI digital risk monitoring platform XVigil identified a suspicious domain that was sending phishing emails to the vendors of a real estate entity. A deep-dive analysis of the domain exposed a full-fledged campaign, where the threat actors were impersonating the Ministry of Human Resources of the UAE government. The actors created a fake website www.mohregov-ae[.]com that resembles the legitimate domain www[.]mohre[.]gov[.]ae, to defraud users. [caption id="attachment_19860" align="aligncenter" width="1189"]Phishing website targeting Ministry of Human Resources, UAE Phishing website targeting Ministry of Human Resources, UAE[/caption]  

Analysis and Attribution

The Phishing Campaign

  • CloudSEK’s investigation indicates that this is a large-scale phishing campaign targeted at individual job seekers and businesses, exposing them to 419 and BEC scams.
  • Upon observing the pattern of the email address used to register the domains, domain name, and hosting infrastructure, it can be inferred that a single threat actor or a threat actor group owns all these phishing domains and websites.

Information from the Malicious Domain

  • The WHOIS registration information for the domain mohregov-ae[.]com is linked to the following registrant information:
WHOIS Details
Name Company Address City State Postal Code Country Email Phone Mike James (44 Domains) NA Building a – Office 1309 -Zayed the First St Abu Dhabi Abu Dhabi 00000 United Arab Emirates hr.kashifgroup@gmail[.]com +971.556822973 (43 Domains)
[caption id="attachment_19861" align="aligncenter" width="320"]WHOIS registrant information for mohregov-ae[.]com WHOIS registrant information for mohregov-ae[.]com[/caption] 
  • Upon further investigation of the email address hr.kashifgroup@gmail[.]com, our researchers discovered 43 domains that shared the same registrant information.
  • These domains were primarily being utilized for the following malicious activities:
    • To target immigrant workers looking for jobs in the Middle-East region
    • To target businesses under the theme of Business Email Compromise (BEC) scams
  • While domains that are presumably used to target job seekers, imparts a credible impression to first-time visitors, the domains potentially targeting businesses with BEC scams do not have a website and are most likely primarily used only to send emails.

Information from OSINT

  • During the course of our investigation into the fake domain, CloudSEK researchers discovered various other domains on the Open Source Internet (OSINT) that were reported on websites (such as stop419scams.com) as scams, targeting job seekers.
[caption id="attachment_19862" align="aligncenter" width="884"]Post on stop419scams.com for scam website- alhasiminternationalschools[.]com Post on stop419scams.com for scam website- alhasiminternationalschools[.]com[/caption] 
  • A WHOIS search revealed that the email ID [email protected] was used to register the domain jboilandgas[.]com.
WHOIS Details
Name Company Address City State Postal Code Country Email Phone Albert Lot (31 domains) NA (738,035 domains) Hazza' Bin Zayed the First Street Abu Dhabi Abu Dhabi 00000 United Arab Emirates (863,887 domains from United Arab Emirates for $250) [email protected] (31 domains) +971.559286098
  • Investigating the above email address our researchers discovered 31 phishing domains leveraging similar tactics to target job seekers and businesses, deceiving them using 419 and BEC scams.
[caption id="attachment_19863" align="aligncenter" width="1440"]Phishing website- tenderadnoc[.]com redirecting users to legitimate website- taqa[.]com to avoid suspicion Phishing website- tenderadnoc[.]com redirecting users to legitimate website- taqa[.]com to avoid suspicion[/caption] 
  • A WHOIS search revealed that the email id hr[.]hikmatgroup@gmail[.]com was used to register the domain firstcoastoffshoreservices[.]com.
WHOIS Details
Name Company Address City State Postal Code Country Email Phone hikmat Joe (46 domains) NA (738,035 domains King Khalid Bin Abdulaziz Saeed St Abu Dhabi Abu Dhabi 00000 United Arab Emirates (863,887 domains from United Arab Emirates for $250) [email protected] (46 domains) +971.521515382
  • On further investigation of the above email address, our researcher discovered 46 phishing domains targeting similar entities.

List of all the Domains Discovered

Domains Discovered
Domains discovered upon investigating email address hr.kashifgroup@gmail[.]com.
  • bid-taqa[.]com
  • adbntogo[.]com
  • mohregov-ae[.]com
  • atenaeps[.]com
  • dubaiferryae[.]com
  • adnoc-vendor[.]com
  • easternbaytravels[.]com
  • siemenoilandgas[.]com
  • fenczyflyemiratetravels[.]com
  • nipmse[.]com
  • builds-emaar[.]com
  • stabluk[.]com
  • specgulfae[.]com
  • enocbids[.]com
  • globalhospae[.]com
  • rambolloil[.]com
  • zbavitae[.]com
  • emsclikoil[.]com
  • emarataljabrisolicitors[.]com
  • diligencefinconsultants[.]com
  • gulfcoastoilngas-ae[.]com
  • Emspgenerahospae[.]com
  • duramtravelagency[.]com
  • dahilalcapitalinvest[.]com
  • llhhospitals[.]com
  • aiischools[.]com
  • rakpetrolae[.]com
  • alhmodzinoilfildservices[.]com
  • hamraoilgroup[.]com
  • safetravel-services[.]com
  • enacopetroleum[.]com
  • gulfins-ae[.]com
  • abbrossgeneralhospital[.]com
  • alfujairah-ae[.]com
  • salacomimmigration[.]com
  • hpschooluae[.]com
  • zirvaenergy[.]com
  • eaglestravels-ae[.]com
  • stalinschoolintlacademy[.]com
  • nowmcopetroleum[.]com
  • flywaytravelandtourism[.]com
  • alzarafatravellsae[.]com
  • snocuae[.]com
Other domains on the Open Source Internet (OSINT) that were reported as scams, targeting job seekers.
  • hamzaroyaltravelandtours[.]com
  • alhasiminternationalschools[.]com
  • jboilandgas[.]com
  • firstcoastoffshoreservices[.]com
  • nowmcospetroleum[.]com
  • globalhospae[.]com
Domains discovered upon investigating email address [email protected].
  • contract-adnoc[.]com
  • world-airmaxitconsult[.]com
  • dubaiislbnk[.]com
  • bids-taqa[.]com
  • jboilandgas[.]com
  • safeairtravels[.]com
  • aero-gulfaviationservices[.]com
  • rakoffshore-ae[.]com
  • toursolution4[.]com
  • enoc-contractor[.]com
  • thumbayuniversityhospitae[.]com
  • akimandersonlaw[.]com
  • abh-center[.]com
  • tenderadnoc[.]com
  • siemensoilandgasae[.]com
  • kanadhospitalls[.]com
  • alifaritravels[.]com
  • enocbid[.]com
  • southwestgroupcorp[.]com
  • mechartesintl[.]com
  • mohe-ae[.]com
  • emiringenoilgc[.]com
  • rakspetroleum[.]com
  • alburjspecialisthospital[.]com
  • wienxyemiratetravels[.]com
  • alnahyangenhospital[.]com
  • hashabitravelagency-uae[.]com
  • edwardmorrisgreen[.]com
  • moorewellgroup[.]com
  • ssmcabudhabia-e[.]com
  • lodgersoilandgas[.]com
Domains discovered upon investigating email address [email protected].
  • nationhospitalae[.]com
  • ark-xchange[.]com
  • moha-pae[.]com
  • xpsmiddleeastoil[.]com
  • productpalacetrading[.]com
  • uenergyae[.]com
  • airconecttexpresdl[.]com
  • firstcoastoffshoreservices[.]com
  • alhasiminternationalschools[.]com
  • hamzaroyaltravelandtours[.]com
  • nare-exp[.]com
  • aibh-center[.]com
  • k-e-c-b[.]com
  • mfrmmsnonwoven[.]com
  • nationalinvestmentcorporation-ae[.]com
  • thunbayuniversityhospital[.]com
  • terramoollars[.]com
  • tendersadnoc[.]com
  • firstlawltd[.]com
  • gulfrussoffshore[.]com
  • transwayimmigrationservices[.]com
  • contract-enoc[.]com
  • tends-enoc[.]com
  • eldinoilngasgroup[.]com
  • starlingbluk[.]com
  • onalsoilfielduae[.]com
  • gulfspecialtyhospitaluae[.]com
  • astraszeneca[.]com
  • dhlexpressuae[.]com
  • molregove-ae[.]com
  • rakpetroluem[.]com
  • fastgulftravels[.]com
  • enoc-ae[.]com
  • ummluluoilgasae[.]com
  • spikeinvest-ug[.]com
  • abudhabimedicalcentre[.]com
  • bunapufic[.]com
  • mohres-uae[.]com
  • rexelenergyuae[.]com
  • arabtechoilfieldeng-ae[.]com
  • ocamoilandgasservices[.]com
  • rikairtravelandtour[.]com
  • luxdubaihotel[.]com
  • alhayathospitalae[.]com
  • Skylickmigrantagency[.]com
  • unitedschofbaniyas[.]com

Impact & Mitigation

Impact Mitigation
  • These phishing projects can be utilized by other threat actors to target specific users and steal their:
    • Passwords
    • Documents
    • Crypto wallets
    • Other sensitive information
  • Avoid downloading suspicious documents from unknown sources.
  • Avoid clicking on suspicious links.
  • Enable the visibility of file extensions, and be wary of downloading files with unknown file extensions.
  • Ensure the usage of MFA (Multi-Factor Authentication).
  • Use up-to-date antivirus and anomaly detection tools.

References

Appendix

[caption id="attachment_19864" align="aligncenter" width="1440"]Phishing website hxxp[://]siemenoilandgas[.]com targeting job seekers Phishing website hxxp[://]siemenoilandgas[.]com targeting job seekers[/caption]  [caption id="attachment_19865" align="aligncenter" width="1440"]Phishing domain hxxp[://]adnoc-vendor[.]com targeting businesses with BEC scams Phishing domain hxxp[://]adnoc-vendor[.]com targeting businesses with BEC scams[/caption]   

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations