Connect with us

Cyber Security

Group-IB Uncovers Wide-Scale Phishing Campaign that Sees Scammers Mimic KSA Manpower Provider



Group-IB has today published its research into a wide-scale phishing scheme that sees scammers impersonate one of the leading manpower agencies in the Kingdom of Saudi Arabia (KSA). In total, analysts from the Group-IB Computer Emergency Response Team (CERT-GIBand Digital Risk Protection Team based at the company’s Threat Intelligence and Research Center in Dubai, UAE analyzed more than 1,000 rogue domains created to impersonate the manpower provider in question as part of a long-term scam campaign.

Group-IB analysts uncovered how one individual claimed to be offering more than 100 domain names that contained a logical connection to, or a variation of, the brand name in question. In line with Group-IB’s zero-tolerance policy towards cybercrime, Group-IB analysts notified the Saudi Computer Emergency Response Team (CERT-SA), a fellow OIC-CERT member, of their findings to assist their regional partners in taking any relevant action to combat this scheme.

Scam in Action
In 2021, more than $55 billion was stolen from victims as a result of scams, according to a Global State of Scam Report that Group-IB contributed to. The need to combat scammers is all the more pertinent given that recent Group-IB research found that scams accounted for 57% of all financially motivated cybercrime, and, according to the Global Anti Scam Alliance, the number of scams is growing more than 10% year on year. The same report also revealed that users in Saudi Arabia are targeted by the most phishing scams in the Middle East.

Domain spoofing, known as the faking of a website or email domain to make malicious sites or emails look credible, has long been a tactic of cybercriminals across the globe, and we are seeing new schemes appearing with alarming regularity. This past July, Group-IB uncovered more than 270 domain names that mimicked over a dozen postal and logistics brands across the Middle East in a separate scam campaign.

However, the postage scam scheme identified by Group-IB has been dwarfed in size by a new wide-scale domain and website spoofing campaign targeting users in Saudi Arabia. Over the past 16 months, Group-IB analysts analyzed more than 1,000 rogue domains linked to a single Saudi company – a leading manpower agency that offers businesses assistance in hiring employees for the construction and services sector, and individuals can also procure the services of domestic workers through the agency. The latter of these two groups is the target of this scam campaign.

The campaign, which was launched in April 2021, appeared to peak in March 2022, when more than 200 new domains spoofing the agency in question were registered with hosting providers. Group-IB analysts believe that the surge in new domains registered in early 2022 could be a sign that a growing number of internet users had fallen victim to this scheme. As seen in other examples around the world, scammers often double down on a certain tactic once it starts to generate money.

A breakdown of the scheme’s timeline can be found below:

In April 2022, when the phishing campaign surged, financial bodies in Saudi Arabia warned of a sharp increase in financial fraud in the country in the preceding year. Group-IB analysts assume that the subsequent reduction in the number of new domains registered per month imitating the manpower provider has followed in the wake of warnings to users by financial authorities in Saudi Arabia, government institutions, and the brand itself. However, the creation of 32 new spoof domains in September 2022 alone shows that scammers are still attempting to impersonate the company.

According to Group-IB’s findings, the driving factor for this scam scheme is an unholy alliance between scammers and spoof domain brokers. This alliance sees the brokers purchase the rights to dozens of domain names containing a typographical or phonetic variation of the attacked brand, and offer them for sale at a low price to scammers.

Imitation – the Sincerest Form of Flattery
The URLs and the design of the scam pages created as part of this campaign are intended to convincingly imitate the manpower provider in question and trick users into entering their credentials for banking services and online government portals. The scammers can harvest both login information and two-factor authentication (2FA) codes to gain access and complete fraudulent transactions.

The scam campaign, which rests on multiple layers of social engineering, starts with the scammers placing advertisements on social media sites such as Facebook and Twitter, and the Google search engine. Group-IB analysts discovered more than 40 individual advertisements for this scheme on Facebook alone. 

From there, the victims begin interacting with the scammers via SMS or WhatsApp communication, and a full breakdown of an average victim journey can be found below:

The phishing pages created by the scammers contain the official logo of the targeted brand as a means of building legitimacy in the eyes of the victims.

Figure 2: Phishing page containing the logo of the brand (blurred) to make it look legitimate.

Upon landing on the homepage of the phishing site, the victim is directed to click the large green button that has “apply” written on it. Once they do this, they are transferred to a second page where they are requested to enter their personal information.

Figure 3: Phishing page where users are asked to fill in their name, phone number, address and national ID number. After filling in the requested data, the user has to click on apply.

After entering their personal information and clicking “apply”, the victims are redirected to a page that asks them to select the nationality of the domestic worker they wish to hire.

Figure 4: After clicking apply, the victims are transferred to the next phishing page, where they are asked to choose the nationality of the domestic worker they want to request.

The next stage of the scam sees victims choose the type of domestic service they require (e.g., hourly, in-house).

Figure 5: Phishing site containing the range of domestic worker services the scammers purport to be offering to users.

Once they have completed these steps, the victim is transferred to a page on which they are asked to pay a small processing fee of 50 or 100 SAR (approximately $13 or $27). In fact, this transaction will not take place, as it is merely a ploy for the scammers to harvest credentials, but the victims are presented with the choice of making this fake transaction either via bank payment or a Saudi government portal.

Figure 6: Users are presented a choice, either via bank payment or card transaction, to pay what they believe to be a 50 or 100 SAR processing fee, although this transaction, which isn’t credited, is a ploy to steal users’ login details.

Irrespective of how the victim chooses to make the fake payment, they are sent either to a page emulating 11 regional banks or a website impersonating a Saudi government portal. The likelihood of the victim of being directed to the fake bank page or the fake portal page appeared to be random. In both cases, the victim’s login credentials and two-factor authentication (2FA) code are harvested by the scammers.




Figure 7: Phishing page on which the victim is prompted to make the fake processing payment via one of 11 leading regional banks.


Figure 8: After clicking on the image of the bank of their choice, the victim is asked to enter their login and password.


Figure 9: Phishing page mimicking a Saudi governmental portal asking for the two-factor authentication code, which the user receives once the scammers attempt to log in to the real governmental portal using the credentials harvested in the previous step.

Once the victim enters their data, the threat actors harvest the victim’s login credentials and 2FA code, which can be used to gain access to the victim’s bank or governmental portal account and begin making fraudulent transactions until the account is emptied.

Interestingly, the domain names identified by Group-IB in this scam campaign are registered with the same popular and affordable hosting providers as seen in many other phishing schemes. This underlines how fraudsters worldwide are utilizing similar tactics, such as launching domains with cheap, easy-to-register, and stable hosting providers, to target victims across the globe.

The primary goal of this research is to raise public awareness in the Middle East of the latest phishing attacks, and to call for internet users to remain vigilant as threat actors continue to convincingly, and with increased regularity, impersonate some of the region’s largest organizations. Scammers are becoming increasingly resourceful and collaborative, and spoof domain brokers are coming to the assistance of cyber criminals. We encourage companies and organizations to monitor for signs of brand abuse, and we also urge internet users to remain vigilant so that they do not become victims of scams such as this,” Mark Alpatskiy, CERT-GIB Senior Analyst, said.

In order to prevent further phishing attacks using spoof domains, companies and organizations should monitor for signs of brand abuse across the internet, including on social media which is often used by scammers to advertise their phishing pages. There are solutions that help firms and organizations secure their digital assets by continuously and automatically monitoring millions of online resources where the brand or intellectual property may be present.

Internet users are urged to show caution and always check the URL domain of the page they are accessing and verify it to see if it is the official website before entering any personal or payment details. Another recommendation is to maintain communication with online chat services or call centers of the official company or organization.

Cyber Security

FortiGuard Labs Contributes to INTERPOL Multinational Cybercrime Suppression Operation in Africa



Sharing threat intelligence and working with other threat intelligence organizations improves protections for customers and enhances the effectiveness of the entire cybersecurity industry.

Recently, FortiGuard Labs provided evidentiary support to INTERPOL and African Member countries as part of the Africa Cyber Surge Operation (ASCO) to help detect, investigate, and disrupt cybercrime through coordinated law enforcement activities, utilizing INTERPOL platforms, tools, and channels in close cooperation with AFRIPOL.

The ACSO is a multinational cybercrime suppression operation focused on identifying cybercriminals and compromised infrastructure in the African region. The INTERPOL Cybercrime Directorate and INTERPOL Support Program for the African Union (ISPA) collaborated with AFRIPOL and 27 INTERPOL member countries to leverage this intelligence and combat the growing threat of cybercrime across the continent.

The successful Cyber Surge operation and transfer of knowledge to multiple law enforcement agencies in the African region is the result of continued threat information sharing and trusted cooperation between INTERPOL, FortiGuard Labs, and other INTERPOL private partners.

FortiGuard Labs provided actionable threat intelligence over a six-month period, which consisted of botnet, command, and control (C2), and malware infrastructure research, including C2 and malware and botnet victims located within the African continent.

“The Africa Cyber Surge Operation, launched in July 2022, has brought together law enforcement officials from 27 countries, working together for almost four months on actionable intelligence provided by INTERPOL private partners,” Craig Jones, Director of the Cybercrime Directorate with INTERPOL comments. “This intelligence focused on opportunities to prevent, detect, investigate and disrupt cybercrime through coordinated LE activities utilizing INTERPOL platforms, tools, and channels. This operation focused both on cybercriminals and compromised network infrastructure in Africa, allowing member countries to identify more than 1,000 malicious IP addresses, dark web markets, and individual threat actors, enhancing cooperation between INTERPOL, AFRIPOL, and the member countries, and contributing to connecting policing for a safer world.”

“The Africa Cyber Surge Operation is a shining example of how shared threat intelligence on threat actors and joint operations across trusted partners can increase the cyber resilience of an entire region,” highlights Derek Manky, Chief Security Strategist & VP Global Threat Intelligence, FortiGuard Labs. “It also shows how valuable cybersecurity training and education is to help close the cyber skills gap and effectively disrupt cybercrime at scale. We will continue to work with our private and public sector partners such as INTERPOL around the world to help make our digital world a safer place.”

For more than a decade, FortiGuard Labs has helped inform and protect customers, partners, and governments around the world. As a leader in the threat intelligence community, its mission is to provide the best threat intelligence designed to protect customers from malicious activity and sophisticated cyberattacks. The team is composed of some of the most knowledgeable threat hunters, researchers, analysts, engineers, and data scientists in the industry, working in dedicated threat research labs all around the world.

Fortinet has been an active member of the Global Cybercrime Expert Group and trusted partner to INTERPOL dating back to 2015 and became an INTERPOL Gateway partner in 2018. This ongoing collaboration has resulted in greater threat intelligence standards and protocols across the industry as well as impactful global cybercriminal takedowns.

In addition to INTERPOL, FortiGuard Labs is committed to partnership and cooperation with global law enforcement, government organizations, and industry organizations. Some of the global partnerships include being a founding member and regular contributor of the World Economic Forum’s (WEF) Centre for Cybersecurity as part of its Partnership Against Cybercrime (PAC), serving as a long-standing member of the NATO Industry Cyber Partnership (NICP), contributing to the development of STIX/TAXII protocols with MITRE & OASIS​, being an official Research Partner with MITRE Engenuity’s Center for Threat-Informed Defense (Center), co-founding the Cyber Threat Alliance (CTA), working in partnership with the computer incident response organization FIRST, and more.

Continue Reading

Cyber Security

Lookout Threat Lab Discovers Predatory Loan Apps on Google Play and Apple App Store



Lookout, Inc. has announced the discovery of nearly 300 loan apps that exhibit predatory behavior such as exfiltrating excessive user data from mobile devices and harassing borrowers for repayment. These apps, which were found in Africa and Southeast Asia, as well as India, Colombia, and Mexico, purportedly offer quick, fully-digital loan approvals with reasonable loan terms. In reality, they exploit victims’ desire for quick cash in an attempt to ensnare borrowers into predatory loan contracts and require them to grant access to sensitive information on their devices such as contacts, phone history, and SMS messages — information that would not be required in a valid loan application process.

In addition to predatory requests for excessive permissions, many of the loan operators display scam-like actions. Victims have reported that their loans came with hidden fees, high-interest rates, and repayment terms that were much less favorable than what was posted on the app stores. Lookout Threat Lab also found evidence that the data exfiltrated from devices were sometimes used to pressure the customer for repayment – a common threat tactic to disclose a borrower’s debt or other personal information to their network of contacts.

In total, Lookout researchers uncovered 251 Android apps on the Google Play Store with more than 15 million collective downloads. The team also identified 35 apps on the Apple App Store that were in the top 100 finance apps in their regional stores. Lookout has been in contact with Google and Apple about these apps and, at the time of publishing, none of them are available for download.

“Mobile apps have made managing our lives a lot easier and are a convenient way to interact with businesses such as financial institutions. However, when entrusting any app with sensitive personal information, it is extremely important to stop and ask yourself if the information being requested makes sense and if the business behind the app is a trusted entity,” said Ruohan Xiong, senior security intelligence researcher, Lookout. “As these predatory loan apps have demonstrated, app permissions could easily be abused if users are not careful. While there are likely dozens of independent operators involved, all of these loan apps have a very similar business model – to trick victims into unfair loan terms and then extort payment.”

Continue Reading

Cyber Security

Dragos Participates in Global Security Forum in Riyadh



Dragos, Inc. announced that it participated in the Global Cybersecurity Forum, held in Riyadh recently. The two-day event attracted cybersecurity experts and leaders from all over the world. Ben Miller, who represented Dragos as its Vice President of Services, spoke on the concluding day of the forum, about the threat of supply chain and third-party attacks. In his session, titled, “Pervasive and Insecure,” he discussed supply chain risk in critical infrastructure, examining the complex reality of third-party and supply chain attacks and sharing perspectives on the unseen vulnerabilities and how to address them.

Miller highlighted the complex nature of supply chain attacks, which potentially contain widespread vulnerabilities in the OT and industrial control systems (ICS). He outlined Dragos’ specific focus on the Kingdom’s supply chain risk in critical infrastructure including refineries and water treatment plants, as “Energy and water are specific focuses of ours in the region as they are critical not just to the economy but also to every person who lives here,” he said.

Giving an outline of the Dragos plan to help organizations detect and respond to the threat challenges posed to critical infrastructure in Saudi Arabia, he said, “We need to focus on educating the workforce, building a new understanding of how OT is different from IT, and gaining visibility and insights into what is happening in our critical infrastructure.” OT cybersecurity is in many ways a new field, he said.

“We need to communicate the needs of OT security as right now the concern exists but the specific needs aren’t well understood by asset owners. They do understand that digital transformation is happening and they need to secure it. I would focus on this business case and speak to the need for OT-specific monitoring, defensible architectures, and OT-specific incident response plans,” the Dragos official said.

Miller said supply chain attacks in critical infrastructure are complex with many suppliers, vendors, integrators, and long lifecycles that measure in decades. Commenting on the need to build industrial cyber resilience to keep such threats in check, he said: “The first challenge in the OT space is gaining visibility into what assets one has. You can’t defend something if you don’t know it exists.”

When it comes to safeguarding cyberspace, he had a few words of advice for Saudi Arabia, “The Kingdom should realize the potential challenges as early as possible. Commending the country’s efforts in cybersecurity. Over the last few years, Saudi Arabia has focused heavily on cybersecurity by investing in key programs and events such as the Global Cybersecurity Forum. The Kingdom of Saudi Arabia has impressed many by taking one of the world’s leading positions in developing and maintaining a cyber ecosystem. Therefore, the Kingdom now has a vantage point to bridge global cyber divides and ensure that cybersecurity benefits all societies in the region.”

A global expert in industrial cybersecurity himself, Miller joined other renowned thought leaders in the field, including Dr. Albert Antwi-Boasiako, Directory-General of the Cyber Security Authority, Ghana; Mary O’Brien, General Manager, IBM Security; Lothar Renner from Cisco Security; and Dr. Victoria Coates, Former Senior Advisor to the US Secretary of Energy.

Continue Reading

Follow Us


Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.