New spear phishing campaign uses multiple scripts to customize attacks on enterprises

Cybersecurity researchers have recently uncovered a sophisticated spear phishing attack at a well-known enterprise that went undetected by existing security solutions. 

A close examination of the recent spear phishing event by Menlo Security researchers revealed that the attackers performed various checks on the password entered by the victim and their IP address to determine whether it was a true compromise versus somebody who had figured out the attack.

The attackers supported various email providers. This was determined by the fact that they served custom pages based on the email domain. For example, a victim whose email address was would be served a page that looked like a Gmail login page.

The attackers exfiltrated the victim’s personally identifiable information (PII) to an attacker controlled account.

The attacker relied heavily on several key scripts to execute the phishing campaign, and to obtain the victim’s IP address in addition to the victim’s country and city.

“Credential theft via increasingly sophisticated spear phishing attacks is dangerous to the enterprise,” said Poornima DeBolle, Chief Product Officer and co-founder of Menlo Security. “Existing email security products will have a difficult time detecting these attacks using the usual good versus bad methods. Once an attacker obtains an employee’s credentials, they have the keys to your kingdom.”

The spear phishing vulnerabilities stem from legacy email security solutions, including sandbox-based anti-phishing products, being largely based on reputation; that is, whether an email link is known to be “good” or “bad.”

A link’s reputation is determined via third-party data feeds, or internally by way of large-scale email traffic and data analysis.  In the case of spear phishing attacks, which target specific individuals within an organization, the email link is usually unique, as is the target user, hence there is no third-party reputation data available, nor is there enough data to analyze internally to make an accurate determination.

If the determination is incorrect, users are sent directly to a web site where credentials can be stolen or malware can be downloaded to the user’s device.