Category: Adversary Intelligence	Industry: Multiple	Motivation: Financial	Region: Middle East	Source*: A1

Executive Summary

THREAT	IMPACT	MITIGATION
An ongoing phishing campaign is targeting various government as well as corporate entities in the Finance, Travel, Hospital, Legal, Oil and Gas, and Consultation industries.	Large-scale phishing campaigns may result in significant loss of customer data as well as inflict reputational and monetary damage on their victims.	Avoid downloading suspicious documents and clicking on suspicious links. Enable the visibility of file extensions, use MFA (Multi-Factor Authentication) and an updated antivirus.

  CloudSEK's contextual AI digital risk monitoring platform XVigil identified a suspicious domain that was sending phishing emails to the vendors of a real estate entity. A deep-dive analysis of the domain exposed a full-fledged campaign, where the threat actors were impersonating the Ministry of Human Resources of the UAE government. The actors created a fake website www.mohregov-ae[.]com that resembles the legitimate domain www[.]mohre[.]gov[.]ae, to defraud users. [caption id="attachment_19860" align="aligncenter" width="1189"] Phishing website targeting Ministry of Human Resources, UAE[/caption]  

Analysis and Attribution

The Phishing Campaign

• CloudSEK’s investigation indicates that this is a large-scale phishing campaign targeted at individual job seekers and businesses, exposing them to 419 and BEC scams.
• Upon observing the pattern of the email address used to register the domains, domain name, and hosting infrastructure, it can be inferred that a single threat actor or a threat actor group owns all these phishing domains and websites.

Information from the Malicious Domain

• The WHOIS registration information for the domain mohregov-ae[.]com is linked to the following registrant information:

WHOIS Details
Name Company Address City State Postal Code Country Email Phone	Mike James (44 Domains) NA Building a – Office 1309 -Zayed the First St Abu Dhabi Abu Dhabi 00000 United Arab Emirates hr.kashifgroup@gmail[.]com +971.556822973 (43 Domains)

[caption id="attachment_19861" align="aligncenter" width="320"] WHOIS registrant information for mohregov-ae[.]com[/caption] 

• Upon further investigation of the email address hr.kashifgroup@gmail[.]com, our researchers discovered 43 domains that shared the same registrant information.
• These domains were primarily being utilized for the following malicious activities:
  • To target immigrant workers looking for jobs in the Middle-East region
  • To target businesses under the theme of Business Email Compromise (BEC) scams
• While domains that are presumably used to target job seekers, imparts a credible impression to first-time visitors, the domains potentially targeting businesses with BEC scams do not have a website and are most likely primarily used only to send emails.

Information from OSINT

• During the course of our investigation into the fake domain, CloudSEK researchers discovered various other domains on the Open Source Internet (OSINT) that were reported on websites (such as stop419scams.com) as scams, targeting job seekers.

[caption id="attachment_19862" align="aligncenter" width="884"] Post on stop419scams.com for scam website- alhasiminternationalschools[.]com[/caption] 

• A WHOIS search revealed that the email ID [email protected] was used to register the domain jboilandgas[.]com.

WHOIS Details
Name Company Address City State Postal Code Country Email Phone	Albert Lot (31 domains) NA (738,035 domains) Hazza' Bin Zayed the First Street Abu Dhabi Abu Dhabi 00000 United Arab Emirates (863,887 domains from United Arab Emirates for $250) [email protected] (31 domains) +971.559286098

• Investigating the above email address our researchers discovered 31 phishing domains leveraging similar tactics to target job seekers and businesses, deceiving them using 419 and BEC scams.

[caption id="attachment_19863" align="aligncenter" width="1440"] Phishing website- tenderadnoc[.]com redirecting users to legitimate website- taqa[.]com to avoid suspicion[/caption] 

• A WHOIS search revealed that the email id hr[.]hikmatgroup@gmail[.]com was used to register the domain firstcoastoffshoreservices[.]com.

WHOIS Details
Name Company Address City State Postal Code Country Email Phone	hikmat Joe (46 domains) NA (738,035 domains King Khalid Bin Abdulaziz Saeed St Abu Dhabi Abu Dhabi 00000 United Arab Emirates (863,887 domains from United Arab Emirates for $250) [email protected] (46 domains) +971.521515382

• On further investigation of the above email address, our researcher discovered 46 phishing domains targeting similar entities.

List of all the Domains Discovered

Domains Discovered
Domains discovered upon investigating email address hr.kashifgroup@gmail[.]com.	bid-taqa[.]com adbntogo[.]com mohregov-ae[.]com atenaeps[.]com dubaiferryae[.]com adnoc-vendor[.]com easternbaytravels[.]com siemenoilandgas[.]com fenczyflyemiratetravels[.]com nipmse[.]com builds-emaar[.]com stabluk[.]com specgulfae[.]com enocbids[.]com globalhospae[.]com rambolloil[.]com zbavitae[.]com emsclikoil[.]com emarataljabrisolicitors[.]com diligencefinconsultants[.]com gulfcoastoilngas-ae[.]com Emspgenerahospae[.]com	duramtravelagency[.]com dahilalcapitalinvest[.]com llhhospitals[.]com aiischools[.]com rakpetrolae[.]com alhmodzinoilfildservices[.]com hamraoilgroup[.]com safetravel-services[.]com enacopetroleum[.]com gulfins-ae[.]com abbrossgeneralhospital[.]com alfujairah-ae[.]com salacomimmigration[.]com hpschooluae[.]com zirvaenergy[.]com eaglestravels-ae[.]com stalinschoolintlacademy[.]com nowmcopetroleum[.]com flywaytravelandtourism[.]com alzarafatravellsae[.]com snocuae[.]com
Other domains on the Open Source Internet (OSINT) that were reported as scams, targeting job seekers.	hamzaroyaltravelandtours[.]com alhasiminternationalschools[.]com jboilandgas[.]com	firstcoastoffshoreservices[.]com nowmcospetroleum[.]com globalhospae[.]com
Domains discovered upon investigating email address [email protected].	contract-adnoc[.]com world-airmaxitconsult[.]com dubaiislbnk[.]com bids-taqa[.]com jboilandgas[.]com safeairtravels[.]com aero-gulfaviationservices[.]com rakoffshore-ae[.]com toursolution4[.]com enoc-contractor[.]com thumbayuniversityhospitae[.]com akimandersonlaw[.]com abh-center[.]com tenderadnoc[.]com siemensoilandgasae[.]com	kanadhospitalls[.]com alifaritravels[.]com enocbid[.]com southwestgroupcorp[.]com mechartesintl[.]com mohe-ae[.]com emiringenoilgc[.]com rakspetroleum[.]com alburjspecialisthospital[.]com wienxyemiratetravels[.]com alnahyangenhospital[.]com hashabitravelagency-uae[.]com edwardmorrisgreen[.]com moorewellgroup[.]com ssmcabudhabia-e[.]com lodgersoilandgas[.]com
Domains discovered upon investigating email address [email protected].	nationhospitalae[.]com ark-xchange[.]com moha-pae[.]com xpsmiddleeastoil[.]com productpalacetrading[.]com uenergyae[.]com airconecttexpresdl[.]com firstcoastoffshoreservices[.]com alhasiminternationalschools[.]com hamzaroyaltravelandtours[.]com nare-exp[.]com aibh-center[.]com k-e-c-b[.]com mfrmmsnonwoven[.]com nationalinvestmentcorporation-ae[.]com thunbayuniversityhospital[.]com terramoollars[.]com tendersadnoc[.]com firstlawltd[.]com gulfrussoffshore[.]com transwayimmigrationservices[.]com	contract-enoc[.]com tends-enoc[.]com eldinoilngasgroup[.]com starlingbluk[.]com onalsoilfielduae[.]com gulfspecialtyhospitaluae[.]com astraszeneca[.]com dhlexpressuae[.]com molregove-ae[.]com rakpetroluem[.]com fastgulftravels[.]com enoc-ae[.]com ummluluoilgasae[.]com spikeinvest-ug[.]com abudhabimedicalcentre[.]com bunapufic[.]com mohres-uae[.]com rexelenergyuae[.]com arabtechoilfieldeng-ae[.]com ocamoilandgasservices[.]com rikairtravelandtour[.]com luxdubaihotel[.]com alhayathospitalae[.]com Skylickmigrantagency[.]com unitedschofbaniyas[.]com

Impact & Mitigation

Impact	Mitigation
These phishing projects can be utilized by other threat actors to target specific users and steal their: Passwords Documents Crypto wallets Other sensitive information	Avoid downloading suspicious documents from unknown sources. Avoid clicking on suspicious links. Enable the visibility of file extensions, and be wary of downloading files with unknown file extensions. Ensure the usage of MFA (Multi-Factor Authentication). Use up-to-date antivirus and anomaly detection tools.

References

• *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability
• ^#https://en.wikipedia.org/wiki/Traffic_Light_Protocol

Appendix

[caption id="attachment_19864" align="aligncenter" width="1440"] Phishing website hxxp[://]siemenoilandgas[.]com targeting job seekers[/caption]  [caption id="attachment_19865" align="aligncenter" width="1440"] Phishing domain hxxp[://]adnoc-vendor[.]com targeting businesses with BEC scams[/caption]