Security company ESTsecurity (CEO Jung Jin-il) reported that a hacking attack linked to North Korea, disguised as an invitation to the '2022 Institute of Foreign Affairs and National Security (IFANS) International Conference', had emerged, urging special attention on the 26th.

This attack used an actual event scheduled for November 2 at the Institute of Foreign Affairs and National Security as bait and employed an interesting tactic that lured experts in diplomacy, security, and defense to fill out a Google survey as if they were being invited.

The International Conference is an annual forum of the Institute of Foreign Affairs and National Security, where prominent domestic and international academics and experts in diplomacy, security, and defense gather to discuss and forecast, contributing to the establishment of diplomatic strategies. The attacker was revealed to have used the invitation image attached to the '2022 IFANS International Conference' notice posted on the official website of the Ministry of Foreign Affairs on October 21st for the attack.

The invitation image is included in the phishing attack email and, when the recipients access the image area, it links them to a phishing site. The site appears to be a Google survey format, but the connected address is 'docxooqle.epizy[.]com'. A closer examination of the website reveals it to be a fake site disguised as Google.

The ESTsecurity Security Response Center (hereinafter referred to as ESRC) investigated this phishing tactic disguised as a Google survey and found that the attacker cleverly mimicked the real Google survey format for the attack.

Notably, the survey's entry fields are designed to induce the targeted victims to input personal information such as name, affiliation, position, email, and contact information themselves, attempting the first phase of information theft. Upon completion of the survey, the screen moves to a phishing address 'accounts.qocple.epizy[.]com' and shows a Google login screen, continuing the theft of Gmail passwords.

This can lead to a chain of hacking damages, including exposure of significant personal information and Google account passwords, necessitating careful attention, and the security habit of meticulously checking if the site you frequently access is the official address is required.

Multiple instances of the 'epizy[.]com' domain found here are associated with a foreign free web hosting service called 'Infinity Free,' which has been commonly discovered in recent North Korea-related hacking incidents. This is known as the 'Fake Striker' threat campaign, repeatedly emerging.

ESRC noted that the first phase of the Google survey phishing tactic was relatively easy to compose for stealing personal information, and the second phase of phishing showed a Google login screen composed in English rather than Korean, suggesting that the targeted individuals are likely familiar with English services.

Meanwhile, evidence suggests that the attack specifically targeted Google Gmail users, emphasizing the importance of maintaining security settings such as OTP and two-factor authentication and the effort to create and regularly change complex passwords that include special characters and both uppercase and lowercase letters.

ESTsecurity director Mun Jong-hyun advised, "Though threats disguised as Google surveys have occurred in the past, it is rare to see a phishing attack carried out with such sophistication," and "the level of cyber security threats attributed to North Korea continues to be high in the second half of this year," urging thorough security awareness.

ESTsecurity is closely cooperating with related authorities, including the Korea Internet & Security Agency (KISA), for response measures to prevent similar damage from spreading.