Cybersecurity researchers have found a new, advanced, and targeted phishing campaign. In the past this campaign has employed real-time checks to verify victim emails prior to credential theft. To help explain this emerging approach, Cofense just published a report describing the term “precision-validating phishing.” This method focuses on high-value targets, making sure that stolen data links to real online accounts.
The phishing campaigns take advantage of an embedded URL that looks like it’s taking users to a safe PDF file. This temporary file is removed soon after the attack is run. We host it on a reliable service from files.fm. Threat actors have utilized this tactic to apply pressure and urgency. This puts a time constraint on victims to interact with the fraudulent page before it’s too late.
Cofense, with partners Zscaler elaborated that precision-validating phishing works through real-time email validation. This method is now used by malicious actors to only show phishing login pages targeted to a handful of high-value targets. To that end, the campaigns use a double-fisted approach — making them much more effective and successful.
“This tactic not only gives the threat actors a higher success rate on obtaining usable credentials as they only engage with a specific pre-harvested list of valid email accounts,” said Cofense. Combined with other thoughtful measures, this approach dramatically raises the odds that stolen credentials are associated with real, regularly-used accounts. Criminals can then use or sell these accounts on dark web markets.
Cofense emphasized the dual nature of this phishing scheme, stating, “Both options lead to the same outcome, with similar goals but different approaches to achieving them.” The researchers found these campaigns are most successful when they establish a convincing facade. Beyond that operationally is an emphasis on targeting key people for the biggest impact.
Additionally, the report sheds light on the troubling and increasing tendency of threat actors to use every available channel of communication. In a recent example, an attacker was able to deliver a malicious PowerShell payload via a Microsoft Teams message. Then, they used Quick Assist to remotely access the victim’s environment.
Cofense’s recently released Phishing Threat Intelligence Annual Report provides an important reminder of the complexity and continuing evolution of modern phishing schemes. The nonprofit encourages all users to remain vigilant and mindful of emerging threats. Take extra care with unsolicited emails or other contacts that could be malicious in nature.
“It increases the efficiency of the attack and the likelihood that stolen credentials belong to real, actively used accounts, improving the quality of harvested data for resale or further exploitation,” – Cofense