Phishing Attacks Now Verify Your Email Before Stealing Credentials
A sophisticated phishing campaign is making it harder to spot scams, with attackers now checking if your email address is active *before* attempting to steal your passwords. Researchers warn this new tactic ensures attackers only target valid accounts, increasing their chances of success.
Cybersecurity researchers are raising the alarm about a clever new phishing scheme. This one's designed to make sure the info they steal actually belongs to real, active online accounts. Think of it as phishing with a quality control department!
Cofense, the security firm that spotted this technique, calls it "precision-validating phishing." The idea is simple: attackers validate your email before showing you a fake login page, targeting only high-value victims.
"This isn't your grandma's spray-and-pray phishing," Cofense explained. "They're only going after email accounts they've already confirmed are active and legitimate."
So, how does it work? When you land on the phishing page and enter your email, it's checked against the attacker's database. If you're on their list, boom, you see the fake login. If not, you might get an error or be redirected to a harmless page like Wikipedia. Sneaky, right?
These checks are often done with APIs or JavaScript integrated into the phishing kit. This confirms your email before they even bother trying to steal your password.
According to Cofense, this makes attacks more efficient and increases the chances that stolen credentials are for accounts that are actually used. This means better data for reselling or further attacks.
And it gets worse: "Automated security crawlers and sandboxes often miss these attacks because they can't bypass the validation filter," Cofense notes. "This makes it harder to detect and allows these phishing campaigns to live longer."
Double Trouble: Phishing with a File Deletion Twist
But wait, there's more! Cofense also uncovered a separate phishing campaign using fake file deletion reminders to steal credentials and deliver malware. It's a two-for-one special of cyber nastiness.
This attack uses a link that appears to point to a PDF file scheduled for deletion on files.fm, a legitimate file storage service. Click the link, and you're taken to the real files.fm site where you can "download" the PDF.
Here's the catch: When you open the PDF, you get two choices: preview or download. If you preview, you're redirected to a fake Microsoft login page designed to steal your password. If you download, you get an executable disguised as Microsoft OneDrive, but it's actually the ScreenConnect remote desktop software from ConnectWise.
"It's like the attackers are forcing you to pick your poison," Cofense said. "Both roads lead to the same destination, just using different methods."
Sophisticated Attacks on the Rise
These findings come on the heels of another discovery: a multi-stage attack combining vishing (voice phishing), remote access tools, and "living off the land" techniques to sneak in and stay hidden. This activity is linked to a group known as Storm-1811 (aka STAC5777).
Ontinue reports that "the attackers exploited exposed communication channels by sending a malicious PowerShell payload via Microsoft Teams, then used Quick Assist for remote access." This led to the deployment of signed binaries (like TeamViewer.exe), a malicious DLL (TV.dll), and a JavaScript-based backdoor.
