Have you ever clicked on something you thought was trustworthy, only to discover later that it wasn’t? That’s what the hacker group known as SideWinder is doing in the South Asia region. They are tricking people into sharing their login information for governmental offices, defense agencies, and high-profile organizations, never directly using a traditional hacking tool.
• They keep records of the emails they targeted in encrypted Base64 code (to hide the details)
• They use customized JavaScript code to ensure no detection on their phishing webpages.
• They host an open file directory containing phishing fake software or malware downloads, typically related to maritime (shipping or navy) activity.
• They host malware at some of the following sites: themegaprovider.ddns.net and gwadarport.ddns.net, again in the realms of Pakistan and Sri Lanka.
• Use email filters that can help you distinguish phishing or scam emails.
• Join community-based organizations that help with cyber security and report suspicious activity.
So, who is SideWinder?
SideWinder is a well-known hacker group that started small and continues to grow rapidly. In 2024, SideWinder only had a few fake websites; however, they are now approaching 100 fake sites targeting countries such as Pakistan, Nepal, Bangladesh, Sri Lanka, and Myanmar. Their simple mission is to get a username and password from fake login pages that look official.How do they do this?
SideWinder is simply creating fake login pages that look like popular email services – Outlook or Zimbra. They also manipulate government and military service websites that almost appear to be authentic. In Bangladesh, they replicate the display of the findings of the defense websites. In Nepal, they made fake pages to have news regarding political news regarding the trip of the PM to China or AI projects for Nepal.Methods of Deception
• They utilize free site hosts, such as Netlify, Cloudflare Pages, and Back4App, to stage their spoofed websites.• They keep records of the emails they targeted in encrypted Base64 code (to hide the details)
• They use customized JavaScript code to ensure no detection on their phishing webpages.
• They host an open file directory containing phishing fake software or malware downloads, typically related to maritime (shipping or navy) activity.
• They host malware at some of the following sites: themegaprovider.ddns.net and gwadarport.ddns.net, again in the realms of Pakistan and Sri Lanka.
Secure Yourself
• Don't click on unknown sites. Always verify the URL before logging into your password.• Use email filters that can help you distinguish phishing or scam emails.
• Join community-based organizations that help with cyber security and report suspicious activity.
