Hackers disguise phishing attempts as UAE bank emails

Operation Ghoul campaign used emails pretending to be from major UAE bank, says Kaspersky Lab

Tags: Cyber crimeKaspersky LabOil & GasUnited Arab Emirates
  • E-Mail
Hackers disguise phishing attempts as UAE bank emails The Operation Ghoul campaign is believed to be the work of professional cyber criminals looking for financially-valuable data, according to Kaspersky Lab.
By  Mark Sutton Published  August 17, 2016

A hacking campaign which targets energy and industrial sectors, using an attack disguised as an email from a major UAE bank, has been uncovered by Kaspersky Lab.

‘Operation Ghoul' has been detected launching spearphishing attacks against over 130 organisations, mainly operating in industry and energy, in the UAE, Saudi Arabia, Egypt and other countries around the world.

The campaign, which appears to have been initiated in June this year, is the work of an organised, financially-motivated hacking group, which is behind other cybercrime campaigns, the security company said.

"In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon. Today, the term is sometimes used to describe a greedy or materialistic individual. This is quite a precise description of the group behind Operation Ghoul," said Mohammad Amin Hasbini, security expert at Kaspersky Lab.

"Their main motivation is financial gain resulting either from sales of stolen intellectual property and business intelligence, or from attacks on their victim's banking accounts. Unlike state-sponsored actors, which choose targets carefully, this group and similar groups might attack any company. Even though they use rather simple malicious tools, they are very effective in their attacks. Thus companies that are not prepared to spot the attacks, will sadly suffer."

The Operation Ghoul campaign used an initial phishing email, disguised as a payment advice mail from a UAE bank, to infect targets with elements of HawkEye, a commercially-available spyware package.

Once infected, the malware then attempted to steal data from user's PCs from sources such as keystroke logging, browsing, FTP server credentials, messaging and email clients, and report it back to a command and control server.

Organisations in 30 countries, including Spain, Pakistan, United Arab Emirates, India, Egypt, United Kingdom, Germany, Saudi Arabia and others have been attacked, in sectors including shipping, pharmaceutical, manufacturing, trading companies, educational organizations and other types of entities.

By analysing data from the initial wave of attacks, which began in June 2016, Kaspersky Lab believes that Operation Ghoul is the work of a hacking group which has been tracked by security experts since March 2015, and which has carried out several other attacks.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code