Skip to main content

Microsoft sees 50 North Korean phishing sites taken offline

(Image credit: Shutterstock)

Microsoft has taken control of fifty sites reportedly linked to cyberattacks originating from North Korea.

The Windows maker has been successful in a court bid to take down fifty domains used for spear phishing attacks that would both steal personal data and upload malware to infect IT systems.

The attacks apparently came from a hacking group known as Thallium, which has been accused of being affiliated with the North Korean government. 

The court action, filed in Virginia last month, came after both the US Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) teams finalised a long-term investigation into Thallium and its activities, which looked to target employees of governments, international agencies, as well as university staff, mostly based in the US, Japan and South Korea.

The spoof emails claimed that the user’s account was compromised, advising them to login to change their account details - but clicking on a link that offered to do so would take the victim to fake phishing sites hosted on one of the malicious domains, which would look to steal personal login details.

The hackers were also able to set up a command to silently copy any new emails to the user without their knolwedge, even if the account password had been changed.

Microsoft says that the court decision has now allowed it to take control of the fifty domain names used in the attacks, which have all now been removed.