Cyber Incident Victim: American Red Cross
Date:
Mar 2019
Location:
United States of America
Summary
A phishing campaign targeted officials from humanitarian organizations including the Red Cross, aiming to compromise Okta and Microsoft credentials for potential intelligence gathering or further attacks. The sophisticated operation utilized mobile-friendly phishing sites that logged passwords in real-time, even before form submission, enhancing credential capture efficiency. These sites evaded detection by remaining unlisted in Google Safe Browsing, allowing prolonged activity without user alerts. Attack infrastructure remained active for an extended period, with some SSL certificates expiring due to the duration of undetected operation. While attribution remains unclear—potentially involving nation-state actors or cybercriminals—the campaign highlights threats to such organizations, where compromised credentials could facilitate financial fraud or espionage against members and whistleblowers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In March 2019, a phishing campaign targeting officials from humanitarian organizations including the Red Cross, United Nations, and UNICEF was discovered by cybersecurity firm Lookout. The attackers created phishing sites designed to steal Okta and Microsoft account credentials by mimicking legitimate login pages. These sites remained active for an extended period, with some operational long enough for their SSL certificates to expire, indicating sustained undetected operation. The infrastructure supporting these phishing operations persisted through at least October 2019 when Lookout published its findings. Notably, none of the identified malicious domains were flagged in Google's Safe Browsing database during this period, leaving users unprotected by standard browser security warnings. The campaign employed sophisticated techniques including mobile-optimized phishing pages that rendered properly on smartphones and tablets, broadening potential victim access.
The attackers implemented real-time password logging functionality that captured credentials as users typed them, rather than only upon form submission—a method enhancing data theft efficiency even if victims abandoned the login attempt. Lookout's investigation revealed the primary motive centered on credential compromise to enable subsequent attacks or intelligence gathering, though attribution remained unclear with potential involvement ranging from nation-state actors to cybercriminal groups. A human rights advocate cited in the report noted humanitarian organizations face targeting from both espionage-focused adversaries seeking operational intelligence on investigations or whistleblowers and financially motivated threat actors like BEC scammers indifferent to organizational missions. The persistent infrastructure and absence of Safe Browsing protections allowed these phishing operations to evade detection mechanisms while maintaining operational effectiveness over several months.