Massive phishing campaign uses 500+ domains to steal credentials


Level 61
Thread author
Top poster
Content Creator
Apr 24, 2016
Large-scale phishing activity using hundreds of domains to steal credentials for Naver, a Google-like online platform in South Korea, shows infrastructure overlaps linked to the TrickBot botnet.

The resources used for this attack show the sheer size of the cybercriminal effort to collect login data to be used in various attacks.

Similar to Google, Naver provides a diverse set of services that range from web search to email, news, and the NAVER Knowledge iN online Q&A platform.

Massive infrastructure

Besides access to normal user accounts, Naver credentials can also open the door to enterprise environments, as a result of password reuse.

Security researchers at cyber intelligence company Prevailion earlier this year identified a massive phishing operation focused on collecting credentials of Naver users.

They started the investigation from one domain name - mailmangecorp[.]us - shared by Joe Słowik, which opened the door to a “vast network of targeted phishing infrastructure designed to harvest valid login credentials for Naver.”

“While investigating the hosting infrastructure being used to serve the Naver-themed phishing pages, PACT analysts identified overlaps with the WIZARD SPIDER [a.k.a. TrickBot] infrastructure,” Prevailion says in a report today.

The TrickBot operation is believed to have changed management recently, with its old partner, the Conti ransomware syndicate, moving to its helm.

The researchers linked 542 unique domains to the operation, 532 of them being used for Naver-themed phishing.