RSA Finds Laser-Focused Phishing Attacks Targeting Pre-Determined Victims
A new phishing kit was recently discovered and analyzed by EMC’s RSA Security division in which a specific group of victims was targeted for credentials theft. Assigning each address on the list a unique identifier, a user clicking the malicious link was first validated and then redirected to a phishing webpage if he made the list.
Users not on the list were redirected to a 404 webpage. The “laser precision phishing” campaign is a significant evolution in the way phishing campaigns behave, because it takes longer to detect, report, and blacklist malicious webpages if “unwanted” users only see a 404 webpage.
“Much like many high-profile nighttime hotspots—if your name is not on the list, you’re staying out!” said Limor Kessem, cybercrime and online fraud communications specialist at RSA. “Keeping out uninvited guests also means avoiding security companies and prompt takedowns of such attacks.”
After harvesting credentials from a targeted victim, the bouncer kit keeps redirecting users to another hijacked page. Although the phishing campaign contained a list of around 3000 victims, the attacks were carried out against financial institutions in Australia, Malaysia, and South Africa.
“The targeted were a mixed bag of webmail users, corporate addresses, and even some bank employees – which indicates that it was likely an aggregation of a few spam lists or data breach collections,” Kessem said in the same report. “These kits, used to target corporate email recipients, can easily be used as part of spear phishing campaigns to gain a foothold for a looming APT-style attack.”
Since most phishing attacks prey on unpatched open source CMS-based websites, RSA warns webmasters to be up to date with the latest security issues.