Clone Phishing Attacks
What is clone phishing?
Clone phishing is a type of phishing attack in which an attacker copies the content of a legitimate email and weaponizes it. Usually, this is done by changing a link in the email or replacing an attachment with a malicious version.
You’ve probably seen generic phishing emails.
They are usually wreak of phishing – the font, spelling errors, etc.
Most people catch these nowadays.
So attackers have morphed and are using pretty stealthy techniques.
One of these is clone phishing.
How cloning phishing attacks work
Clone phishing can be done as a type of spear phishing or sent in mass.
It depends on what the attacker is trying to accomplish.
Either way, clone phishing works the same way.
First, the attacker will spoof or otherwise replicate the faked sender’s email address.
This can be done via spoofing the email headers or using visually similar domains.
Spoofing email headers
Visually similar domains
This method is often more successful since it can bypass spam filters many time.
After the attacker has a way to spoof an email address and actually deliver it, they work on the cloned part.
This is actually quite easy to do.
Let’s say an attacker wants to clone a Google new login alert email.
All they have to do is copy the html from the email and paste it into the one they are creating.
Then, they will change the URL or the attachment out with the malicious one.
If they are sophisticated, the attacker may then send you to a cloned website to capture your login credentials.
Don’t worry, there’s a simple way to prevent this that we’ll discuss further down.
To avoid your company’s email address being spoofed in attacks against other organizations, you should implement SPF, DKIM and DMARC controls. Check out our post here to learn how SPF, DKIM, and DMARC authentication protocols work.
The different types
There are typically two ways that an attacker will go about clone phishing attacks.
The first way is to clone an email with a link.
Say an email from LinkedIn about a connection request.
But they would edit the link location so that it goes to a phishing site.
If done correctly, this method is unfortunately very successful.
The second method an attacker could use is to attach a malicious document.
Let’s use an example of a sales department.
If the attacker interacts with the sales department and receive an email with a quote attachment, they could reply to the email with a different attachment.
The attacker could create a malicious document with the same name and add it as the attachment when they reply.
Obviously, if the email security doesn’t catch it and the recipient opens the document, things could go badly.
Ways to identify clone phishing
Now that you understand clone phishing attacks, they probably seem pretty scary.
But there are actually some pretty simple ways to identify them.
In fact, they are the same ways you can identify any type of phishing.
If you are thinking that this clone phishing sounds like pretty sophisticated stuff, don’t worry.
There are simple security measures that you can implement to avoid becoming a victim.
It’s critical that you train your users on the risks of social engineering and phishing. CyberX offers a completely free cybersecurity awareness solution that you can use today in less than 90 seconds! Check it out here.