Microsoft has acquired fifty domain names linked to a North Korean hacker group. The action has been taken against the hacker group which is nicknamed Thallium.

The domain names, which were abused to facilitate phishing campaigns, resembled those of Microsoft. For example, there was the domain ‘rnicrosoft’, which, with the font that was used, resembled the first ‘m’ by combining the ‘r’ and the ‘n’. In the phishing mails sent, users were told that they were trying to log in from elsewhere in the world and that the user had to view his or her login details.

Microsoft’s blog post also explains that the problem with Thallium was not so much in that, but rather in the ingenuity of what came next. Users who changed their passwords when they found out they had been hacked actually thought they were safe again.

However, they did not know that Thallium had been added to a mail-forward in the short period of time that the account could be viewed. This way, even after changing the password, hackers could read all incoming mails. In some cases, Thallium allegedly also distributed the BabyShark and KimJongRAT malware on computers.

Not the first time

Earlier action was taken against Barium (China), Strontium (Russia) and Phosporus (Iran). Domain names were also seized in those cases. Microsoft recommends users to activate additional security measures, such as two-factor authentication.