|Category: Adversary Intelligence||Industry: Government||Region: Middle East||Source*: A1|
- CloudSEK’s contextual AI digital risk platform XVigil identified a phishing website a-absher-sd[.]com imitating the legitimate domain of the Saudi Government Portal, Absher.
- Absher is an application and web portal developed by the Saudi Ministry of Interior and used by citizens and residents of Saudi Arabia to access various government services such as applying for jobs and Hajj permits, updating passport information, reporting electronic crimes, etc.
- The threat actors are targeting individuals by sending an SMS, along with a link, urging people to update their information on the Absher Portal.
- The phishing website presents users with a fake login portal, compromising the login credentials.
- After the “login”, a popup appears prompting a 4-digit OTP sent to the registered mobile number, possibly being used to bypass multifactor authentication on the legitimate Absher Portal.
- Any 4-digit number is accepted as an OTP without verification and the victim successfully logs in to the fake portal.
- The user is then asked to fill in a “registration” form, divulging sensitive PII.
- Once the registration is completed, the user is redirected to a new page where they are prompted to choose a bank and are directed to a fake bank login portal.
- After submitting the internet banking login details a loading icon pops up and the page gets stuck, while the user banking credentials have already been compromised. (For more information refer to the Appendix section)
- Government services in the Saudi region have been a prime target for cybercriminals to compromise user credentials and use them to conduct further cyberattacks.
- Multiple phishing domains have been registered to gain the PII of individuals in Saudi Arabia.
- A deep-dive analysis of the fake domain (a-absher-sd[.]com) exposed a full-fledged campaign, where the threat actors were impersonating the Saudi Ministry of Interior.
- Multiple phishing domains were found to be operating on the same server with IP address 22.214.171.124.
- During the period of this analysis, the websites were observed to go inactive after being active for a few days.
- The table below contains the full list of fake domains uncovered as a part of the investigation.
|Fake Domain||Date of Creation|
|pnu-sd[.]com||25 July 2022|
|ad-sds-tra[.]com||21 September 2022|
|sd-tra-s[.]com||19 September 2022|
|saudi-sds[.]com||18 September 2022|
|ab-absher[.]com||22 May 2022|
|a-absher-sds-sd[.]com||19 September 2022|
|drivin-sds[.]com||13 September 2022|
|a-absher-sd[.]com||31 August 2022|
|s-sds-absher-sd[.]com||10 September 2022|
|sd-sds-absher-sa[.]com||09 September 2022|
|sds-sd-absher-sa[.]com||08 September 2022|
|asd-absher[.]com||07 September 2022|
|drivings-ds[.]com||06 September 2022|
|drivings-sds[.]com||05 September 2022|
|school-ads-sa[.]com||01 September 2022|
|sds-registers[.]com||21 August 2022|
|sds-tra-s[.]com||17 August 2022|
|sds-absher-s[.]com||17 August 2022|
|sd-tra-a[.]com||16 August 2022|
|sd-absher-a[.]com||16 August 2022|