Home / / Hackers disguise phishing attempts as UAE bank emails

Hackers disguise phishing attempts as UAE bank emails

Operation Ghoul campaign used emails pretending to be from major UAE bank, says Kaspersky Lab

Hackers disguise phishing attempts as UAE bank emails
The Operation Ghoul campaign is believed to be the work of professional cyber criminals looking for financially-valuable data, according to Kaspersky Lab.

A hacking campaign which targets energy and industrial sectors, using an attack disguised as an email from a major UAE bank, has been uncovered by Kaspersky Lab.

‘Operation Ghoul' has been detected launching spearphishing attacks against over 130 organisations, mainly operating in industry and energy, in the UAE, Saudi Arabia, Egypt and other countries around the world.

The campaign, which appears to have been initiated in June this year, is the work of an organised, financially-motivated hacking group, which is behind other cybercrime campaigns, the security company said.

"In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon. Today, the term is sometimes used to describe a greedy or materialistic individual. This is quite a precise description of the group behind Operation Ghoul," said Mohammad Amin Hasbini, security expert at Kaspersky Lab.

"Their main motivation is financial gain resulting either from sales of stolen intellectual property and business intelligence, or from attacks on their victim's banking accounts. Unlike state-sponsored actors, which choose targets carefully, this group and similar groups might attack any company. Even though they use rather simple malicious tools, they are very effective in their attacks. Thus companies that are not prepared to spot the attacks, will sadly suffer."

The Operation Ghoul campaign used an initial phishing email, disguised as a payment advice mail from a UAE bank, to infect targets with elements of HawkEye, a commercially-available spyware package.

Once infected, the malware then attempted to steal data from user's PCs from sources such as keystroke logging, browsing, FTP server credentials, messaging and email clients, and report it back to a command and control server.

Organisations in 30 countries, including Spain, Pakistan, United Arab Emirates, India, Egypt, United Kingdom, Germany, Saudi Arabia and others have been attacked, in sectors including shipping, pharmaceutical, manufacturing, trading companies, educational organizations and other types of entities.

By analysing data from the initial wave of attacks, which began in June 2016, Kaspersky Lab believes that Operation Ghoul is the work of a hacking group which has been tracked by security experts since March 2015, and which has carried out several other attacks.

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.