‘Bad Tidings’ phishing campaign mimics web portals belonging to the Saudi government

• The campaign which is active since November 2016 impersonated official government websites to sideline them from users.
• The false websites were shielded with phishing hostnames that employed multiple spoofing techniques.

A phishing campaign has been troubling the government of Saudi Arabia from the past two years. Nicknamed as ‘Bad Tidings’, false websites were created in the campaign to imitate government web portals as well as that of a financial institution.

The campaign is still reportedly active. According to security firm Anomali, around 95 unique phishing hostnames were identified in the campaign till date.

The big picture

• Bad Tidings targeted four government agencies namely the Ministry of Interior (Absher), Ministry of Foreign Affairs, Ministry of Labor and Social Development & the country’s official portal. In addition, the Saudi British Bank was also said to be impersonated.
• Phishing hostnames that are created in this campaign relied on three spoofing techniques -- Punycode spoofing, SubDomain spoofing, and Typosquatting.
• Attackers mostly registered fake domains that ended with .cc, .xyz, .club, .site and .services.
• Phishing sites from the campaign had two web pages, one mimicking the official website and the other contained a fake login section.
• When users try to log in, they are redirected to another phishing site. It is now likely that their credentials are stolen at this stage.

About the threat actors

Anomali conducted a detailed analysis of Bad Tidings and found that very little information could be found about the threat actors. “Upon initial review of Whois record information for the 46 unique domains used in the Bad Tidings Campaign, the threat actor or group provided minimal registrant information. Nonetheless, there were multiple references to Yemen, two Yemeni districts: Al Hada and Sanaa, and two distinct registrant organizations, mdr and WVW,” researchers stated in the blog.

The firm’s investigation also revealed three IP addresses used by the campaign, as well as unique SSL/TLS certificates purchased from Comodo.