New Phishing Technique Launches Personalised Attacks

Phishing messages are getting increasingly realistic and hard to differentiate from genuine emails and web pages. Now, they have an added layer of danger. A new phishing technique can deliver personalised messages imitating the intended target’s favourite brands. The CyberFlow team is monitoring an ongoing phishing-as-a-service campaign, which has already made many victims.

These advanced phishing attacks use the Morphing Meerkat platform, which is capable of creating messages imitating more than 100 popular brands. Moreover, it can dynamically serve personalised phishing attacks, based on the target’s interaction with various companies.

How Does the New Phishing Technique Work?

The mechanism behind this new phishing campaign involves accessing the user’s DNS Mail Exchange (MX) records. This helps threat actors identify the brands with which the user interacts most frequently.

This information enables the phishing-as-a-service kit to dynamically morph the phishing email to impersonate one of these brands. And this is what makes this campaign extremely effective and dangerous.

If a target usually receives daily or bi-weekly emails from a brand, they have a low alert level. They open the email with less precaution compared to a message coming from a company they do not usually interact with.

Phishing Web Content Is Strongly Related to the User’s Email Activity

In all the instances of this new phishing technique, the user was further encouraged to click on links once they reached the fake web page. The morphing phishing platform delivers login pages that are extremely relevant to the target.

Once they click on these fake logins, the users lose control over their business accounts, or they give their banking and credit card details to hackers.

Employee Education on Brand Impersonation Phishing Is More Important Than Ever

These personalised phishing attacks make cybersecurity education extremely important for all companies. Even if you use advanced cyber detection tools, it takes one employee who clicks on a link to expose your company data and give hackers access to your IT network.

In this context, one of the key elements of anti-phishing solutions is ongoing employee training and education. They need to know how phishing attacks work and undergo tests to check if they can make the difference between a genuine and a fake email or web page.

One of the most effective ways to prevent phishing and social engineering attacks from succeeding is by instructing employees to double-check with the purported sender. Instead of clicking on a link, they should take the time to make a phone call or send an email to an official contact address and ask if they are really supposed to take that action.

The Best Defence: Stop Phishing Emails from Reaching the Inbox

However, companies should not place the whole responsibility for preventing phishing attacks on their employees’ shoulders. New phishing techniques will be increasingly realistic and difficult to spot.

The responsible choice is implementing advanced phishing detection tools and solutions that detect malicious emails that come from insecure domains. Thus, these malicious emails are filtered out and never reach your employees’ inboxes.

CyberFlow can help you set up the best anti phishing solutions and other cybersecurity tools to keep your systems and data safe from hackers. Contact us to get a personalised offer for complete cybersecurity services!