Phishing domains impersonating the Saudi government service portal Absher have popped up online, CloudSEK says. The phishing portals are designed to provide fake services to citizens and steal credentials. CloudSEK published an advisory concerning the threat last Thursday. The threat actors are sending phishing SMS messages containing a link to the illegitimate sites. The messages urge citizens to update their information on the Absher Portal. When users try to log in using the link contained in the SMS, their credentials are harvested by the threat actors.
The fake login process is complex, and a pop-up appears on the site prompting a four-digit one-time password delivered to the registered mobile number. This tactic was likely designed to emulate the multifactor authentication (MFA) process on the legitimate government portal. Once the process is complete, the user is asked to fill out a form that contains sensitive personally identifiable information. The users are also directed to a fake bank login portal that steals credentials. CloudSEK states that government services in the Saudi region have been a target for cybercriminals lately.