Cyber Incident Victim: Ministry of Interior

The "Bad Tidings" phishing campaign targeted Saudi Arabian government agencies and financial institutions beginning in November 2016, persisting for at least three years. Attackers impersonated the Ministry of Interior's Absher e-Service portal—a critical platform for employment, passport, civil affairs, and traffic services—through fraudulent emails directing victims to counterfeit login pages. These phishing operations specifically targeted credentials from four government entities: the Ministry of Interior, Saudi Government, Ministry of Foreign Affairs, and Ministry of Labor and Social Development, along with the Saudi British Bank. Researchers from Anomali and Saudi Telecom Company documented 95 unique phishing hostnames created for the campaign, with approximately 60% mimicking Absher's legitimate services. The phishing infrastructure employed typosquatting (using domains like abshr[.]xyz), subdomain spoofing, alternative top-level domains (such as absher[.]space instead of gov.sa), and punycode-based attacks to deceive users.

Victims entering credentials on these fraudulent pages were redirected to initial phishing sites without accessing actual services, enabling attackers to harvest login details. Researchers assessed the threat actor as financially motivated, intending to steal personally identifiable information for resale on underground markets or to facilitate identity theft and fraudulent activities. The campaign intensified in early 2019, with a notable spike in phishing site deployments preceding March 2019. No specific containment measures or victim responses were detailed, but researchers emphasized the persistent risk to government portals storing centralized citizen data. The operation demonstrated sustained focus on exploiting Saudi Arabia's digital administrative infrastructure, leveraging social engineering tactics that remained active through at least 2019.