Warning: Phishing Kits Can Auto-Generate Tailored Login Pages



Process Server PhishingCommodity phishing kits are increasingly serving dynamically generated phishing pages, according to researchers at ESET.

These kits allow unskilled threat actors to launch sophisticated attacks tailored to individual users.

ESET describes one of these attacks, using a phishing email that informed the user of an unfamiliar sign-in to their account.

“Clicking the link takes you to a website that can automatically retrieve the logo of the company that’s being impersonated, all while misusing the API (Application Programming Interface) of a legitimate third-party marketing service such as Clearbit,” the researchers write.

“In other words, the credential-harvesting page queries sources such as business data aggregators and simple favicon lookup services to fetch the logo and other branding elements of the company being impersonated, sometimes even adding subtle visual cues or contextual details that further boost the ploy’s aura of authenticity. Adding to the deception, attackers can also pre-fill your name or email address, making it seem like you’ve visited the site before.”

Additionally, users should set up multi-factor authentication to secure their accounts wherever possible, but be aware that social engineering attacks can still bypass this measure.

“Crucially, use a strong and unique password or passphrase on all your online accounts, especially the valuable ones,” ESET says. “Complementing this with two-factor authentication (2FA) wherever available is also a non-negotiable line of defense. 2FA adds a critical second layer of security that can prevent attackers from accessing your accounts even if they manage to steal your password or source it from data leaks. Ideally, look for and use app-based or hardware token 2FA options, which are generally more secure than SMS codes.”

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

ESET has the story.


Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/phishing-security-test-offer



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews