Ukrainian military personnel targeted with phishing attacks

CERT-UA, the national Computer Emergency Response Team for Ukraine, has issued a warning of a major phishing campaign launched against military personnel.

In a Facebook post, CERT-UA advised that it had seen an attack launched against the personal email accounts of military staff and related individuals.

According to the warning, the phishing campaigns have targeted free email accounts hosted at the i.ua and meta.ua internet portals, both popular in Ukraine.

The emails claim that the recipient needs to confirm their details in order to confirm that they are not a spambot, or their mailbox will be closed within two days.

In the following example, the email claims to come from i.ua:

[embed phishing-email.jpeg]

Here is an example of the malicious email which has been translated into English:

“Dear user! Your contact information or not you are a spam bot. Please, click the link below and verify your contact information. Otherwise, your account will be irretrievably deleted. Thank you for your understanding. Regards, I.UA Team”

As CERT-UA warns, if users are tricked into clicking on the link, and entering their login credentials, attackers can later exploit the credentials to spy on email communications and harvest the victims' address books:

"After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages. Later, the attackers use contact details from the victim’s address book to send the phishing emails."

There is a real risk that during the current crisis many Ukrainians will be more anxious than ever of losing any method of communication, and that a phishing email which threatens their email account is about to shut down could be extremely effective.

One way in which users can better protect themselves against phishing attacks like this is to use a password manager.  Most good password managers only offer to enter your password for, say, your email account if it recognises that you are on the real website where your email account is hosted.

In other words, a good password manager will not prompt to enter your password if you are on a phishing webpage instead - and that should raise a red flag that you are in danger of being phished if you proceed.

CERT-UA has pointed the finger of blame for the attacks at the hacking group UNC1151, which is based in Minsk and whose members are said to be officers of the Ministry of Defence in Belarus.