VERY IMPORTANT

TrendMicro discovered a phishing campaign that has compromised at least four South Korean websites – including a business page ranked as one of the most visited sites in the country – by injecting fake login forms to steal user credentials. While we’ve previously seen cybercriminals inject a malicious JavaScript code in the websites to load browser exploits or financial information skimmers, using the watering hole technique for a phishing campaign is unusual. The campaign, which we labeled “Soula” (detected by Trend Micro as Trojan.HTML.PHISH.TIAOOHDW), collects information via a spoofed login screen of one of the country’s leading search engines that pops up over the original webpage. It sends the logged credentials to the attackers’ server even without accurate data confirmation, leading us to think that the cybercriminals are at research and information-gathering stage.