Cybersecurity agency Group-IB and UNICC carried out a joint venture where they took down 134 websites handled by hacking group “DarkPath.” As per UN and Group-IB, these websites were earlier used to impersonate WHO. Hackers built a diverse network of 134 malicious domains that were pretending to be WHO on ‘Health Awareness Day, ‘ asking people to fill a fake survey with an assurance of rewards in return. The hackers assured users €200 to take out the surveys and also share them with WhatsApp contacts.
But, the rewards were never sent and the scam had built a massive spam campaign that gave new traffic to malicious websites. After informing UN’s International Computing Centre, group IB worked with a range of service suppliers and network regulators, hosting providers, domain registrars to quash the 134 websites scam campaign. When the websites were blocked, hackers avoided using the WHO brand for their network campaign. But Dark Path still is active despite the WHO breakdown. As per Group-IB findings, the sites managed to land around 200000 users on the fake sites every day.
Along with the multi-stage nature of the attack that makes it harder for researchers to detect, users saw personalized content that depends upon geolocation, language settings, and user agents. For instance, the reward currency for filling out the survey would vary depending upon the user’s location. DarkPath controlled scam websites are still active and keep targeting millions of victims around the globe. These hackers promote their websites via paid ads, social media, and email blasts.
According to UNICC, .during the infrastructure analysis, “Group-IB researchers examined the domains and other digital indicators and concluded that the whole network is likely to be maintained and controlled by a scammer collective codenamed DarkPath Scammers. Most of the domains with phishing and scam content are using CDN’s (Content Delivery Networks) to hide IP addresses of the real servers. The scammers are using the same infrastructure configuration with its traits and misconfigurations across all their servers. Group-IB continues to monitor the scammers’ activity. Organizations should carry out seamless online monitoring to promptly detect any cases of illicit use of their brands.”
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.