Security experts at Netscout Threat Intelligence team found that the 'Lucky Elephant' campaign has been active since February 2019. The threat actors behind the campaign used lookalike webpages resembling real entities such as foreign governments, telecommunications, and military.
The attackers have registered fake websites with various top-level domains in order to trick the victims. The victims, visiting these websites, think it is real, and later provide their login credentials.
The list of organizations that are mimicked by hackers include entities in Pakistan, Bangladesh, Sri Lanka, Maldives, Myanmar, and Nepal. According to the researchers, the threat actors are suspected to be from India. They discovered that one IP address used in the campaign belongs to an Indian APT group named 'DoNot Team'.
Apart from creating fake South Asian government websites, the threat actors also mimicked the Microsoft Outlook 365 login pages to pull more victims. It is believed that these fake websites are distributed via phishing emails. The actors behind Lucky Elephant are cleverly using the fake webpages to entice users to input their credentials. It is unclear as to how effective and widespread the campaign is at gathering credentials. It is also unknown as for how many many users have been affected.