Clone Phishing Attacks
Cyber criminals are constantly evolving their attacks and tweaking methods that work.
One phishing attack method that attackers have recently been using is clone phishing.
It is effective!
When we use this attack on social engineering engagements, we typically get a 50% click rate.
What is clone phishing?
Clone phishing is a type of phishing attack in which an attacker copies the content of a legitimate email and weaponizes it. Usually, this is done by changing a link in the email or replacing an attachment with a malicious version.
You’ve probably seen generic phishing emails.
They are usually wreak of phishing – the font, spelling errors, etc.
Most people catch these nowadays.
So attackers have morphed and are using pretty stealthy techniques.
One of these is clone phishing.
How cloning phishing attacks work
Clone phishing can be done as a type of spear phishing or sent in mass.
It depends on what the attacker is trying to accomplish.
Either way, clone phishing works the same way.
First, the attacker will spoof or otherwise replicate the faked sender’s email address.
This can be done via spoofing the email headers or using visually similar domains.
Spoofing email headers
We won’t get into the full explanation here, but there are two types of addresses in an email.
A return address and a sender’s address.
When an attacker spoofs your email address , they are typically swapping the sender’s address to make it look like it came from someone else.
Visually similar domains
The other common way that attackers spoof the sender is by using a similar domain.
For example, if your company URL is company.com, an attacker may purchase and use c0mpany.com with a 0 instead of o.
This method is often more successful since it can bypass spam filters many time.
After the attacker has a way to spoof an email address and actually deliver it, they work on the cloned part.
This is actually quite easy to do.
Let’s say an attacker wants to clone a Google new login alert email.
All they have to do is copy the html from the email and paste it into the one they are creating.
Then, they will change the URL or the attachment out with the malicious one.
If they are sophisticated, the attacker may then send you to a cloned website to capture your login credentials.
Don’t worry, there’s a simple way to prevent this that we’ll discuss further down.
To avoid your company’s email address being spoofed in attacks against other organizations, you should implement SPF, DKIM and DMARC controls. Check out our post here to learn how SPF, DKIM, and DMARC authentication protocols work.
The different types
There are typically two ways that an attacker will go about clone phishing attacks.
The first way is to clone an email with a link.
Say an email from LinkedIn about a connection request.
But they would edit the link location so that it goes to a phishing site.
If done correctly, this method is unfortunately very successful.
The second method an attacker could use is to attach a malicious document.
Let’s use an example of a sales department.
If the attacker interacts with the sales department and receive an email with a quote attachment, they could reply to the email with a different attachment.
The attacker could create a malicious document with the same name and add it as the attachment when they reply.
Obviously, if the email security doesn’t catch it and the recipient opens the document, things could go badly.
Ways to identify clone phishing
Now that you understand clone phishing attacks, they probably seem pretty scary.
But there are actually some pretty simple ways to identify them.
In fact, they are the same ways you can identify any type of phishing.
Prevention methods
If you are thinking that this clone phishing sounds like pretty sophisticated stuff, don’t worry.
There are simple security measures that you can implement to avoid becoming a victim.
It’s critical that you train your users on the risks of social engineering and phishing. CyberX offers a completely free cybersecurity awareness solution that you can use today in less than 90 seconds! Check it out here.
Conclusion
Clone phishing is stealthy.
Attackers have morphed and it’s of the types of phishing that they have added to their tool bag.
It’s important that you have security controls in place to prevent it and that your employees are aware of the threat.
Awareness is one of the best mitigations for social engineering.
Have you been the victim of clone phishing?
Or are you going to implement a control to prevent it?
Leave a comment and let me know.