Commodity phishing kits are increasingly serving dynamically generated phishing pages, according to researchers at ESET.
These kits allow unskilled threat actors to launch sophisticated attacks tailored to individual users.
ESET describes one of these attacks, using a phishing email that informed the user of an unfamiliar sign-in to their account.
“Clicking the link takes you to a website that can automatically retrieve the logo of the company that’s being impersonated, all while misusing the API (Application Programming Interface) of a legitimate third-party marketing service such as Clearbit,” the researchers write.
“In other words, the credential-harvesting page queries sources such as business data aggregators and simple favicon lookup services to fetch the logo and other branding elements of the company being impersonated, sometimes even adding subtle visual cues or contextual details that further boost the ploy’s aura of authenticity. Adding to the deception, attackers can also pre-fill your name or email address, making it seem like you’ve visited the site before.”
Additionally, users should set up multi-factor authentication to secure their accounts wherever possible, but be aware that social engineering attacks can still bypass this measure.
“Crucially, use a strong and unique password or passphrase on all your online accounts, especially the valuable ones,” ESET says. “Complementing this with two-factor authentication (2FA) wherever available is also a non-negotiable line of defense. 2FA adds a critical second layer of security that can prevent attackers from accessing your accounts even if they manage to steal your password or source it from data leaks. Ideally, look for and use app-based or hardware token 2FA options, which are generally more secure than SMS codes.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
ESET has the story.