Category: Adversary Intelligence	Industry: Government	Region: Middle East	Source*: A1

Executive Summary

THREAT	IMPACT	MITIGATION
Multiple phishing domains impersonating Absher, the Saudi government service portal. Domains provide fake services to the citizens and steal their credentials.	Citizens' PII and banking credentials compromised. Domain login credentials compromised. Obtained OTP possibly used for MFA bypass	Identify and report domains impersonating an organization. Avoid clicking on suspicious links. Detect and block phishing domains.

Analysis and Attribution

• CloudSEK’s contextual AI digital risk platform XVigil identified a phishing website a-absher-sd[.]com imitating the legitimate domain of the Saudi Government Portal, Absher.
• Absher is an application and web portal developed by the Saudi Ministry of Interior and used by citizens and residents of Saudi Arabia to access various government services such as applying for jobs and Hajj permits, updating passport information, reporting electronic crimes, etc.

[caption id="attachment_21204" align="alignnone" width="1352"] Phishing domain a-absher-sd[.]com[/caption] 

Modus Operandi

• The threat actors are targeting individuals by sending an SMS, along with a link, urging people to update their information on the Absher Portal.
• The phishing website presents users with a fake login portal, compromising the login credentials.
• After the “login”, a popup appears prompting a 4-digit OTP sent to the registered mobile number, possibly being used to bypass multifactor authentication on the legitimate Absher Portal.
• Any 4-digit number is accepted as an OTP without verification and the victim successfully logs in to the fake portal.
• The user is then asked to fill in a “registration” form, divulging sensitive PII.
• Once the registration is completed, the user is redirected to a new page where they are prompted to choose a bank and are directed to a fake bank login portal.
• After submitting the internet banking login details a loading icon pops up and the page gets stuck, while the user banking credentials have already been compromised. (For more information refer to the Appendix section)

Information from OSINT

• Government services in the Saudi region have been a prime target for cybercriminals to compromise user credentials and use them to conduct further cyberattacks.
• Multiple phishing domains have been registered to gain the PII of individuals in Saudi Arabia.
• A deep-dive analysis of the fake domain (a-absher-sd[.]com) exposed a full-fledged campaign, where the threat actors were impersonating the Saudi Ministry of Interior.
• Multiple phishing domains were found to be operating on the same server with IP address 167.235.248.127.
• During the period of this analysis, the websites were observed to go inactive after being active for a few days.
• The table below contains the full list of fake domains uncovered as a part of the investigation.

Fake Domain	Date of Creation
pnu-sd[.]com	25 July 2022
ad-sds-tra[.]com	21 September 2022
sd-tra-s[.]com	19 September 2022
saudi-sds[.]com	18 September 2022
ab-absher[.]com	22 May 2022
a-absher-sds-sd[.]com	19 September 2022
drivin-sds[.]com	13 September 2022
a-absher-sd[.]com	31 August 2022
s-sds-absher-sd[.]com	10 September 2022
sd-sds-absher-sa[.]com	09 September 2022
sds-sd-absher-sa[.]com	08 September 2022
asd-absher[.]com	07 September 2022
drivings-ds[.]com	06 September 2022
drivings-sds[.]com	05 September 2022
school-ads-sa[.]com	01 September 2022
sds-registers[.]com	21 August 2022
sds-tra-s[.]com	17 August 2022
sds-absher-s[.]com	17 August 2022
sd-tra-a[.]com	16 August 2022
sd-absher-a[.]com	16 August 2022

Impact and Mitigation

Impact	Mitigation
Compromised banking credentials and PII information could lead to targeted scams against the victims, financial loss, etc. Compromised domain login credentials can lead to account takeovers. Obtained OTP possibly used to bypass multifactor authentication.	Government organizations should monitor phishing campaigns targeting citizens. Awareness campaigns should be conducted to inform and educate citizens. Avoid clicking on suspicious links.

References

• ^#Traffic Light Protocol - Wikipedia

Appendix

[caption id="attachment_21205" align="alignnone" width="705"] Snippet of an article by urdunews.com warning people about the phishing SMS[/caption]   [caption id="attachment_21207" align="alignnone" width="1365"] Fake Absher portal login page[/caption] [caption id="attachment_21208" align="alignnone" width="1365"] Victims required to divulge PII details[/caption]   [caption id="attachment_21209" align="alignnone" width="1365"] Victim prompted to select a bank account[/caption]   [caption id="attachment_21210" align="alignnone" width="1365"] Fake bank portal login page[/caption]