Saturday, June 21, 2025

Tech News, analysis, updates, comments, reviews

Phishing hack that mirrors Google login site—minus the URL

It ‘looks exactly like your real site,’ says researcher Jeremy Fuchs.

Phishing attempts reported on last month use a mirror image of Google-domain login pages—familiar logos and CAPTCHAs included. There’s one glaring characteristic in an otherwise twin-like version of the site, however: a weird-looking URL.

The “bit-for-bit” impersonation—shown in a blog post from the cloud-based email security provider Avanan—is a reminder for everybody to hit the half-speed button and slow down a bit to spot irregularities that indicate an attack.

Hovering over links—an important countermeasure,—will reveal a less-reliable-sounding URL than the expected login address. The phishy URLs contain phrases like “boiling-fortress” or “spidervella,” instead of, say, “google.”

The hack:

  • The user is emailed an “action required” notification of an expired password.
  • They click the link and see a familiar login page, which the hackers are dynamically mirroring. (“A lot of phishing campaigns will falter because they look silly, or there’s tons of spelling errors, or something’s off, and it’s just really noticeable. This one looks exactly like your real site,” Jeremy Fuchs, Avanan cybersecurity researcher and analyst, told IT Brew.)
  • The user’s email address is even pre-populated in the login form.

While the “boiling-fortress” or “spidervella” aspects of the URL do sound a bit silly, or at least like a band-name idea, not everyone looks at the address, said Fuchs, especially people in a hurry.

The attack is reminiscent of tactics deployed in late 2020 by the group SPAM-EGY—an advanced persistent threat (APT) group that used dynamically updated, realistic-looking Microsoft 365 logins to target higher-education users.

Phishing still works. A 2022 Incident Response Report from the cybersecurity company Palo Alto Networks found that phishing was one of three vectors responsible for over 77% of the team’s intrusion investigations—along with brute-force credential attacks and exploitation of software vulnerabilities.

While a copycat site could lead a company to potentially take legal action, the landing pages often disappear as quickly as they launch.

“These are typically up and down so quickly, and they happen at such volume, that it’s pretty rare for organizations to even have the opportunity to reach out, go to a registrar for a takedown, or anything like that,” Jen Miller-Osborn, deputy director of threat intelligence for Unit 42 at Palo Alto Networks, said.

For an agile attack that Fuchs called “one of the more effective campaigns we’ve seen” in his Avanan blog post, an essential strategy, beyond link-hovering, is to take a breath.

“It’s really all about slowing down,” said Fuchs. “We’re all moving so fast, that we don’t look at the things that are right in front of us, telling us that we shouldn’t click on it.”

Get notified whenever we post something new!

spot_img

Migrate to the cloud

Make yourself future-proof by migrating your infrastructure and services to the cloud. Become resilient, efficient and distributed.

Continue reading

Taking Control of Your Genetic Privacy

Practical steps to delete your 23andMe genetic data and protect your biological privacy, with global considerations for data protection.

A Cybersecurity Perspective on Border Searches and Digital Privacy

Exploring the challenges of phone privacy at borders, this post reflects on cybersecurity strategies and global implications for travelers and professionals.

Why Kenya’s Cybersecurity Boom Matters More Than The Numbers Suggest

The statistics tell one story about Kenya's cybersecurity market. A 10.54% growth rate through 2029, reaching $92.64 million. The need for 10,000 new experts by 2025. Organizations scrambling to boost budgets by 34% after cyberattacks hit M-PESA and Kenya...

Enjoy exclusive discounts

Use the promo code SDBR002 to get amazing discounts to our software development services.