A mobile-aware phishing campaign targeting non-governmental organizations around the world, including a variety of United Nations humanitarian organizations, such as UNICEF, has been detected. 

According to Lookout, law enforcement and the targeted organizations have been contacted, but as of the publication of the blog, the attack is still ongoing. The infrastructure connected to this attack has been live since March 2019, says the blog. Two domains have been hosting phishing content:

• session-services[.]com 
• service-ssl-check[.]com

"The associated IP network block and ASN (Autonomous System Number) is understood by Lookout to be of low reputation and is known to have hosted malware in the past," notes the blog. 

In addition, Lookout has identified several techniques employed in this campaign, such as its ability to detect mobile devices and to log keystrokes directly as they are entered in the password field. "Specifically, Javascript code logic on the phishing pages detects if the page is being loaded on a mobile device and delivers mobile-specific content in that case. Mobile web browsers also unintentionally help obfuscate phishing URLs by truncating them, making it harder for the victims to discover the deception," says the blog. 

Lookout has also "collected evidence of key logging functionality embedded in the password field of the phishing login pages, such that, if a target doesn’t complete the login activity by pressing the login button or if they enter another, unintended password, this information is still sent back to the command and control infrastructure operated by the malicious actor," notes the blog. 

For more information, visit the Lookout blog.