2017 was hailed as by many as the year of the data breach. We saw vulnerabilities, exploits and high profile attacks from across almost every major industry. If you thought the ride was over, you’d be very much mistaken; eight days into 2018 and there’s no sign of the trend ending.
Attackers are launching phishing campaigns against a number of groups associated with this years Winter Olympics. As reported by PhishMe, 91% of all cyberattacks begin with a phishing email.
A report from McAfee points out the organisations linked to the South Korean (Pyeongchang) games were receiving emails featuring attachments laced with malware. The malware comes disguised as a Microsoft Word document with the file name ‘Organised by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics’. A seemingly innocent sounding file name that when downloaded, allows the malicious entity to execute commands on the victim’s machine and install additional malware.
The attacker was able to make the email appear as though it had been sent by National Counter Terrorism-Center in South Korea: firstname.lastname@example.org. Utilising an official sounding source for the email to originate from gives it an heir of authority and increases the likelihood of it being opened.
McAfee believe this is just the beginning for the Winter Olympic attacks:
“With the upcoming Olympics, we expect to see an increase in cyberattacks using Olympics-related themes. In similar past cases, the victims were targeted for their passwords and financial information.”
They also outlined the following techniques utilised to make the email more tempting to open:
- Use of Korean language
- Asking users to open the content because the document is in protected mode
- Partial use of the original South Korean Ministry of Agriculture and Forestry domain in a registered fake domain for malicious intent.
- Spoofed email address from South Koreas National Counter-Terrorism Council.
It’s not uncommon for attackers to disguise their malicious intentions under the guise of an authoritative organisation. Hurricane Harvey in 2017 saw online assailants launch a phishing campaign pretending to be a charity collecting money for victims. You can read more about that and find out how to spot a phishing email in our blog post: Hurricane Harvey Used As Bait For Phishing Emails: How To Avoid Being A Victim.
The primary target of the email was email@example.com, with several organizations in South Korea on the BCC line. The majority of these organizations had some association with the Olympics, either in providing infrastructure or in a supporting role. The attackers appear to be casting a wide net with this campaign. The campaign to target Pyeongchang Olympics began December 22, 2017 with the most recent activity appearing December 28. The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file, and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script. They also wrote custom PowerShell code to decode the hidden image and reveal the implant.