Phishing hack mirrors your login site—minus the URL

Phishing attempts reported on last month use a mirror image of Google-domain login pages—familiar logos and CAPTCHAs included. There’s one glaring characteristic in an otherwise twin-like version of the site, however: a weird-looking URL.

The “bit-for-bit” impersonation—shown in a blog post from the cloud-based email security provider Avanan—is a reminder for everybody to hit the half-speed button and slow down a bit to spot irregularities that indicate an attack.

Hovering over links—an important countermeasure, according to the blog—will reveal a less-reliable-sounding URL than the expected login address. The phishy URLs contain phrases like “boiling-fortress” or “spidervella,” instead of, say, “google.”

The hack:

• The user is emailed an “action required” notification of an expired password.
• They click the link and see a familiar login page, which the hackers are dynamically mirroring. (“A lot of phishing campaigns will falter because they look silly, or there’s tons of spelling errors, or something’s off, and it’s just really noticeable. This one looks exactly like your real site,” Jeremy Fuchs, Avanan cybersecurity researcher and analyst, told IT Brew.)
• The user’s email address is even pre-populated in the login form.

While the “boiling-fortress” or “spidervella” aspects of the URL do sound a bit silly, or at least like a band-name idea, not everyone looks at the address, said Fuchs, especially people in a hurry.

The attack is reminiscent of tactics deployed in late 2020 by the group SPAM-EGY—an advanced persistent threat (APT) group that used dynamically updated, realistic-looking Microsoft 365 logins to target higher-education users.

Phishing still works. A 2022 Incident Response Report from the cybersecurity company Palo Alto Networks found that phishing was one of three vectors responsible for over 77% of the team’s intrusion investigations—along with brute-force credential attacks and exploitation of software vulnerabilities.

While a copycat site could lead a company to potentially take legal action, the landing pages often disappear as quickly as they launch.

“These are typically up and down so quickly, and they happen at such volume, that it’s pretty rare for organizations to even have the opportunity to reach out, go to a registrar for a takedown, or anything like that,” Jen Miller-Osborn, deputy director of threat intelligence for Unit 42 at Palo Alto Networks, told IT Brew.

For an agile attack that Fuchs called “one of the more effective campaigns we’ve seen” in his Avanan blog post, an essential strategy, beyond link-hovering, is to take a breath.

“It’s really all about slowing down,” said Fuchs. “We’re all moving so fast, that we don’t look at the things that are right in front of us, telling us that we shouldn’t click on it.”—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.