{"id":2709,"date":"2025-04-10T01:28:17","date_gmt":"2025-04-10T01:28:17","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2709"},"modified":"2025-04-10T01:28:17","modified_gmt":"2025-04-10T01:28:17","slug":"targeted-phishing-gets-a-new-hook-with-real-time-email-validation","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2709","title":{"rendered":"Targeted phishing gets a new hook with real-time email validation"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Crooks behind some credential-stealing<\/a> phishing campaigns are trying to increase their success rate by sophisticated targeting.<\/p>\n

According to researchers at Cofense, instead of blasting out mass messages to a list of email addresses they\u2019ve collected or bought, these threat actors only target addresses that have been verified as active, legitimate, and often high-value.<\/p>\n

Cofense calls the technique precision-validated phishing, or real-time email validation, and it works like this: When someone who falls for a pitch attempts to access the crook\u2019s phishing page, their email address is checked against the attacker\u2019s database, via JavaScript-based validation scripts on the page,\u00a0before the fraudulent credential stealing login form is displayed. If the email address entered does not match any from the pre-defined list, the phishing page either returns an error or redirects to a legitimate, benign-looking, page. If the address is confirmed, however, the fake login page that can capture the victim\u2019s credentials is displayed.<\/p>\n

Problem for defenders<\/h2>\n

The problem facing defenders is the tactic prevents security teams from doing further analysis and investigation, says the Cofense report<\/a>. Automated security crawlers and sandbox environments also struggle to analyze these attacks because they cannot bypass the validation filter, the report adds.<\/p>\n

Also, the report says, the selective nature of these attacks makes detection through threat intelligence sharing more difficult. Since the phishing pages do not serve malicious content to everyone, some traditional URL scanning tools may fail to flag them as threats. \u201cThis undermines traditional blocklisting efforts, requiring organizations to shift toward behavioural analysis and anomaly detection to identify phishing campaigns before they reach end users,\u201d the report says.\u00a0<\/p>\n

\u2018A little bit of hype\u2019<\/h2>\n

David Shipley, head of Canadian-based security awareness training firm Beauceron Security, said \u201cthere\u2019s a little bit of hype\u201d in giving the tactic a fancy name for what is in fact spear phishing<\/a>, although, he admitted, it\u2019s \u201crapid-fire spear phishing.\u201d<\/p>\n

The reason, he said, is that \u201cspray-and-pray\u201d mass phishing campaigns today are being detected by email gateways. This is why threat actors have increasingly turned to spear phishing and what he calls \u201ctrolling\u201d campaigns, where the goal is to measure who will report a phishing attempt, who will click, and where on the message the target will click. \u201cThey\u2019re trying to figure things out ahead of doing something clever,\u201d he said.<\/p>\n

The report is a reminder to infosec pros that, despite improved defenses, phishing is still a prime tactic of threat actors, Shipley said. \u201cYou can have a false sense of security if you\u2019re running a large enterprise and say, \u2018We stopped 950,000 phishing emails this month.\u2019 But the 500 that got through could really sink the battleship.\u201d<\/p>\n

The lesson for CISOs, he added, is to emphasize to employees the importance of reporting suspected phishing emails instead of just deleting them.<\/p>\n

\u2018Hard to defend against\u2019<\/h2>\n

\u201cThis is very difficult to defend against,\u201d said Johannes Ullrich, dean of research at the SANS Institute. \u201cThe first step is to restrict JavaScript access. Next, mail servers need to rate limit requests to restrict how often a particular source may use its API. But it is very difficult to find the \u2018right\u2019 rate limit.\u201d<\/p>\n

\u201cThe only real solution,\u201d he said, \u201cis to move away from traditional credentials to phishing-safe authentication methods like Passkeys<\/a>. The goal should be to protect from leaked credentials, not block user account verification.\u201d<\/p>\n

Attackers verifying e-mail addresses as deliverable, or being associated with specific individuals, is nothing fundamentally new, he added. Initially, attackers used the mail server\u2019s \u201cVRFY\u201d command to verify if an address was deliverable. This still works in a few cases. Next, attackers relied on \u201cnon-deliverable receipts,\u201d the bounce messages you may receive if an email address does not exist, to figure out if an email address existed. Both techniques work pretty well to determine if an email address is deliverable, but they do not distinguish whether the address is connected to a human, or if its messages are read.\u00a0\u00a0<\/p>\n

The next step, Ullrich said, was sending obvious spam, but including an \u201cunsubscribe\u201d link. If a user clicks on the \u201cunsubscribe\u201d link, it confirms that the email was opened and read. So current advice is to not use the unsubscribe link unless you know the organization sending the email, he said.<\/p>\n

With web mail systems, it is often possible for a threat actor to figure out if a particular account exists by just attempting to log in, he noted. The attacker may get a different response if the account doesn\u2019t exist, versus \u2018incorrect password\u2019 for an existing account. For public systems like Gmail or Hotmail, an attacker may also attempt to create a new account, and the system will warn them if a particular username is already taken.<\/p>\n

\u201cIt looks like this campaign added the ability to verify if an email address exists in real time,\u201d he said. \u201cMost webmail systems are built around APIs accessible from JavaScript, and an attacker can use these APIs or create a database of valid email addresses or some middleware to proxy the requests to the email services API in case they restrict JavaScript access.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Crooks behind some credential-stealing phishing campaigns are trying to increase their success rate by sophisticated targeting. According to researchers at Cofense, instead of blasting out mass messages to a list of email addresses they\u2019ve collected or bought, these threat actors only target addresses that have been verified as active, legitimate, and often high-value. Cofense calls […]<\/p>\n","protected":false},"author":0,"featured_media":2710,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2709","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2709"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2709"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2709\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2710"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2709"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2709"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2709"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}