Hackers infected Pakistani immigration website with Scanbox malware
Threats / Hackers infected Pakistani immigration website with data-scraping Scanbox malware
15 March 2019
If you are planning to visit Pakistan soon, you may want to postpone your trip for a while as the Pakistani government’s website for immigration and passport services has been leaking personal details of passport applicants to hackers.
Researchers at security firm Trustwave recently observed that hackers had breached tracking.dgip.gov.pk, a website owned by the Directorate General of Immigration & Passport of the Pakistani government, and injected a payload known as the Scanbox Framework into the domain.
Scanbox is a well-known malware payload used widely by cyber criminals to gather information about visitors to targeted websites and to scrape information filled by visitors on online forms. While it is not known when Scanbox was injected into the Pakistani government’s website for immigration and passport services, researchers are certain that hackers behind the payload have been harvesting detailed personal information of people who visited the domain in the recent past.
The researchers first observed Scanbox on the breached website on 2nd March and on that day alone, Scanbox managed to collect information on at least 70 unique site visitors, about a third of them with recorded credentials.
Scanbox used in multiple cyber attack campaigns
“Scanbox Framework is a reconnaissance framework that was first mentioned back in 2014 and has been linked over the years to several different APT groups. Its intense activity during the 2014-2015 years has been well-covered in a paper written by PwC. It was then seen again in 2017 suspected to be used by the Stone Panda APT group, and once more in 2018 in connection with LuckyMouse.
“Scanbox was used in a variety of watering hole attacks, meaning the attacker infected a site with Scanbox in order to gather information about visitors to the site (gathering all the information you’d expect like IP, referrer, OS, User Agent, plugins, etc.) to, later on, tailor sophisticated targeted attacks for interesting visitors. With every appearance, it seems to have evolved in terms of the kinds of information it gathers,” Trustwave said.
According to the firm, neither has the Pakistani government responded to the firm highlighting the presence of Scanbox on its website nor has it taken any action to evict the payload from the affected site. What this means is that people should avoid visiting the domain or entering any personal information in it to prevent their personal data from falling into the hands of cyber criminals.
Jay has been a technology reporter for almost a decade. When not writing about cybersecurity, he writes about mobile technology for the likes of Indian Express, TechRadar India and Android Headlines