Cybersecurity researchers are calling attention to a new type of credential phishing scheme that ensures that the stolen information is associated with valid online accounts. The technique has been codenamed precision-validating phishing by Cofense, which it said employs real-time email validation so that only a select set of high-value targets are served the fake login screens. "This tactic not only gives the threat actors a higher success rate on obtaining usable credentials as they only engage with a specific pre-harvested list of valid email accounts," the company said.
Unlike "spray-and-pray" credential harvesting campaigns that typically involve the bulk distribution of spam emails to obtain victims' login information in an indiscriminate fashion, the latest attack tactic takes spear-phishing to the next level by only engaging with email addresses that attackers have verified as active, legitimate, and high-value.
In this scenario, the email address entered by the victim in a phishing landing page is validated against the attacker's database, after which the bogus login page is displayed. If the email address does not exist in the database, the page either returns an error or the user is redirected to an innocuous page like Wikipedia so as to evade security analysis.
The checks are carried out by integrating an API- or JavaScript-based validation service into the phishing kit that confirms the email address before proceeding to the password capture step. "It increases the efficiency of the attack and the likelihood that stolen credentials belong to real, actively used accounts, improving the quality of harvested data for resale or further exploitation," Cofense said.
