A new phishing kit was recently discovered and analyzed by EMCâ€™s RSA Security division in which a specific group of victims was targeted for credentials theft. Assigning each address on the list a unique identifier, a user clicking the malicious link was first validated and then redirected to a phishing webpage if he made the list.
Users not on the list were redirected to a 404 webpage. The â€œlaser precision phishingâ€ campaign is a significant evolution in the way phishing campaigns behave, because it takes longer to detect, report, and blacklist malicious webpages if â€œunwantedâ€ users only see a 404 webpage.
“Much like many high-profile nighttime hotspotsâ€”if your name is not on the list, you’re staying out!” said Limor Kessem, cybercrime and online fraud communications specialist at RSA. â€œKeeping out uninvited guests also means avoiding security companies and prompt takedowns of such attacks.â€
After harvesting credentials from a targeted victim, the bouncer kit keeps redirecting users to another hijacked page. Although the phishing campaign contained a list of around 3000 victims, the attacks were carried out against financial institutions in Australia, Malaysia, and South Africa.
â€œThe targeted were a mixed bag of webmail users, corporate addresses, and even some bank employees â€“ which indicates that it was likely an aggregation of a few spam lists or data breach collections,â€ Kessem said in the same report. â€œThese kits, used to target corporate email recipients, can easily be used as part of spear phishing campaigns to gain a foothold for a looming APT-style attack.â€
Since most phishing attacks prey on unpatched open source CMS-based websites, RSA warns webmasters to be up to date with the latest security issues.