Tuesday, May 21, 2024

Tech News, analysis, updates, comments, reviews

Phishing hack that mirrors Google login site—minus the URL

It ‘looks exactly like your real site,’ says researcher Jeremy Fuchs.

Phishing attempts reported on last month use a mirror image of Google-domain login pages—familiar logos and CAPTCHAs included. There’s one glaring characteristic in an otherwise twin-like version of the site, however: a weird-looking URL.

The “bit-for-bit” impersonation—shown in a blog post from the cloud-based email security provider Avanan—is a reminder for everybody to hit the half-speed button and slow down a bit to spot irregularities that indicate an attack.

Hovering over links—an important countermeasure,—will reveal a less-reliable-sounding URL than the expected login address. The phishy URLs contain phrases like “boiling-fortress” or “spidervella,” instead of, say, “google.”

The hack:

  • The user is emailed an “action required” notification of an expired password.
  • They click the link and see a familiar login page, which the hackers are dynamically mirroring. (“A lot of phishing campaigns will falter because they look silly, or there’s tons of spelling errors, or something’s off, and it’s just really noticeable. This one looks exactly like your real site,” Jeremy Fuchs, Avanan cybersecurity researcher and analyst, told IT Brew.)
  • The user’s email address is even pre-populated in the login form.

While the “boiling-fortress” or “spidervella” aspects of the URL do sound a bit silly, or at least like a band-name idea, not everyone looks at the address, said Fuchs, especially people in a hurry.

The attack is reminiscent of tactics deployed in late 2020 by the group SPAM-EGY—an advanced persistent threat (APT) group that used dynamically updated, realistic-looking Microsoft 365 logins to target higher-education users.

Phishing still works. A 2022 Incident Response Report from the cybersecurity company Palo Alto Networks found that phishing was one of three vectors responsible for over 77% of the team’s intrusion investigations—along with brute-force credential attacks and exploitation of software vulnerabilities.

While a copycat site could lead a company to potentially take legal action, the landing pages often disappear as quickly as they launch.

“These are typically up and down so quickly, and they happen at such volume, that it’s pretty rare for organizations to even have the opportunity to reach out, go to a registrar for a takedown, or anything like that,” Jen Miller-Osborn, deputy director of threat intelligence for Unit 42 at Palo Alto Networks, said.

For an agile attack that Fuchs called “one of the more effective campaigns we’ve seen” in his Avanan blog post, an essential strategy, beyond link-hovering, is to take a breath.

“It’s really all about slowing down,” said Fuchs. “We’re all moving so fast, that we don’t look at the things that are right in front of us, telling us that we shouldn’t click on it.”


Please enter your comment!
Please enter your name here

Get notified whenever we post something new!


Migrate to the cloud

Make yourself future-proof by migrating your infrastructure and services to the cloud. Become resilient, efficient and distributed.

Continue reading

Google I/O 2024 Unveils the Future?

Google I/O 2024 was an impressive showcase of how Google continues to push the envelope with artificial intelligence. This year's event introduced significant advancements across multiple services and platforms, demonstrating Google's commitment to an AI-first future. Below, I try...

On-Premises vs. Cloud Security

As usual, we begin by championing cybersecurity. It stands as the foremost concern for organizations striving to safeguard their sensitive data and digital assets. Among the many strategies available, two dominant paradigms have emerged: on-premises security and cloud security....

Regulation Insights from Starlink’s in Zimbabwe

In recent times, the journey of Starlink, Elon Musk's ambitious satellite internet venture under SpaceX, has been marked by regulatory challenges, particularly in Zimbabwe. Meanwhile the Posts and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) issued a directive instructing Starlink...

Enjoy exclusive discounts

Use the promo code SDBR002 to get amazing discounts to our software development services.