Phishing Attack Targets Saudi Arabia Government

At least a dozen Saudi Arabia government organisations have been targeted by a spear phishing campaign that attempts to steal confidential data, according to Malwarebytes.

The attack originates from an Arabic-language phishing email containing a Word document which, if opened, infects the user’s system before sending the same email and document to other contacts via their Outlook inbox.

The attack leverages social engineering to execute malicious code via a Macro, before stealing information and uploading it to a remote server.

Phishing attack

“The payload is embedded in the macro as Base64 code. It uses the certutil program to decode the Base64 into a PE file which is then executed,” writes Malwarebytes.

The binary is coded in .NET and not obfuscated, a method commonly used to obscure an attack payload from inspection by network security systems. The main payload is accompanied by two helper dynamic-link library (DLL) modules, a collection of small programmes used to help run larger programmes on a PC.

“We can see that stolen data is then POSTed to a server at webmail.ecra.gov.sa (Official Saudi Press Agency) although by the time we checked, the server was no longer responding.”

Phishing scams have proved to be some of the most successful and lucrative types of attacks used by cyber criminals and were all the rage in 2016 as the likes of Snapchat and Seagate suffered data breaches as a result.

More recently, some of the world’s biggest organisations including Netflix and McDonald’s have continued to be targeted by phishing attacks, all designed to steal customer or business data.

And it seems that no business is safe. Just this week a group of hackers demanded Apple pay a $75,000 (£60,000) ransom after claiming to have stolen 300 million iCloud accounts, highlighting the dangers of today’s cyber threat landscape.

Are you a cyber security pro? Take our quiz and find out!