Chameleon phishing attack targets firms with fake fax message emails

Cyber security firm Trustwave SpiderLabs has uncovered a new credential-capture phishing scam that uses a landing page capable of customising itself into the user’s email service to trick them into revealing their login details.

The email presents itself as a fax document which prompts the user to click on the link to be able to view the missed message.

The victim is then invited to input their details into a fake login page tailored to whatever email service the victim is using in a chameleon-like attack: Gmail users, for instance, will see a different page from Apple, Outlook or Yahoo Mail users.

Spiderlabs analysed the malicious email after trapping it in one of its email security gateway products, which sits in front of an enterprise’s email server.

Researchers found four elements that changed to trick victims into thinking that they were on an authentic site: the page background, a blurred logo, the title tab and the capitalised text of the domain from the email provider.

While the fake morphed email site is not identical to the genuine ones – discerning users might notices some discrepancies in the font as well as the capitalised branding – Trustwave threat intelligence manager Karl Sigler noted:

“Often just pulling out a couple of elements, especially if someone isn’t looking that closely is more than enough to fool someone into believing it’s genuine.”

While there appears to be no direct financial gain from the attack, Sigler explains that access to email accounts is often enough – allowing attackers to discover banking details or passwords for other logins.

Hybrid attacks

According to Sigler, organisations that still use faxes – such as healthcare and law firms – are particularly vulnerable to these attacks and the security expert warns that phishing campaigns are increasingly becoming targeted towards specific organisations.

“They already know what email you are using; they’ve done the reconnaissance ahead of time, so they know exactly who they are targeting. This is a push away from the wide net attacks that we saw five to ten years ago that were tossed out to as many emails as possible.”

He continues: “What we are seeing here is a hybrid technique – they are throwing a wide net because they have this chameleon technique, but they are also using it in a very targeted way because it makes the recipient think that their specific credentials are being requested.”

After tracking the ‘fax phishing campaign’ for the last few weeks, Trustwave believes this particular scam appears to have been taken down now but Sigler predicts that enterprises have not seen the last of this type of chameleon attack.

“If you are going to that much effort to customise all this code and scripting under the hood to make a campaign that is flexible enough to manage all these different domains, we expect they are going to reuse this in the future,” he said.

Trustwave’s advice to anyone who has clicked onto the link is for them to change their passwords.

“This is nothing more than a credential capture. The only thing they will have taken is your password. If you still have access to your accounts that’s a good sign – change your accounts and set up multi-factor authentication if your email provider allows for that,” he said