Cofense researchers were recently able to expose this sophisticated credential phishing scheme that represents a major threat to all high-value targets. We have dubbed this emerging approach “precision-validating phishing.” That’s because it makes sure that stolen credentials map to legitimate online accounts, increasing the success and utility of phishing campaigns. This new approach leverages real-time email validation to target its victims with precision. This makes it a far more dangerous variant of normal phishing attacks.
It employs an embedded link that goes directly to what appears to be a PDF version of their report. This file is hosted on a secure platform with an excellent reputation – files.fm. The PDF is programmed to self-destruct shortly after anyone opens it. This provision creates a markedly increased sense of urgency to achieve the target. This tactic is a prime example of how threat actors have adapted their tactics, techniques and procedures (TTPs) to improve the efficacy of their malicious efforts.
Real-Time Email Validation Enhances Attack Efficiency
Precision-validating phishing requires live email validation. This technique allows attackers to deliver phish login pages only to the most valuable targets. The attackers authenticate as real users to scam the credentials of certain users. Doing so creates greater odds that any stolen information will correspond to real-world, active online accounts. This tactic improves the quality of data harvested. It further raises the possibility of resale or additional exploitation.
Cofense argues that this method successfully ensnares users in a decision-making process between two innocuous-seeming alternatives.
“Almost as if the threat actor intentionally designed the attack to trap the user, forcing them to choose which ‘poison’ they will fall for.” – Cofense
This strategic selection process increases the attack’s precision, as it only targets lists of already harvested, verified email accounts.
Targeting High-Value Individuals
Precision-validating phishing goes a step further and targets individuals identified as high-value targets by attackers. By targeting these specific goals, the phishing campaign creates the highest likelihood for obtaining credentials that can be directly used. The technique’s design forces that both paths you set for the target result in the same thing—even if it’s by two different means.
“Both options lead to the same outcome, with similar goals but different approaches to achieving them.” – Cofense
It is this dual approach that provides attackers the freedom to innovate around their tactics. It ensures that they target their resources to the accounts with the most potential.
Challenges for Automated Security Systems
This level of sophistication poses challenges not just for the average user but for automated security solutions as well. In fact, traditional security crawlers and sandbox environments are unable to effectively analyze such attacks. They aren’t able to get around the validation filters that attackers themselves use. These targeted approaches greatly reduce the risk for attackers. They assist in extending the life of their phishing campaigns.
“It increases the efficiency of the attack and the likelihood that stolen credentials belong to real, actively used accounts, improving the quality of harvested data for resale or further exploitation.” – Cofense
As phishing schemes become increasingly widespread and sophisticated, IT leaders must stay alert and bolster their organization’s protections from these highly personalized assaults.