In recent news, cybercriminals have been seen using precision-validated phishing techniques to target specific individuals with the goal of increasing their success rates. Instead of mass-emailing generic phishing messages to a list of email addresses, these threat actors are taking a more targeted approach, focusing only on verified active and high-value email addresses.
Known as precision-validated phishing or real-time email validation, this technique involves checking the email address of a victim against the attacker’s database using JavaScript-based validation scripts on the phishing page. If the email address matches one on the predefined list, the victim is shown a fake login page where their credentials can be stolen. However, if the email address is not on the list, the phishing page either returns an error or redirects to a benign-looking page.
This tactic poses a significant challenge to defenders as it prevents further analysis and investigation. Security teams and automated security crawlers struggle to bypass the validation filter, making it difficult to detect and block these targeted attacks. Additionally, traditional URL scanning tools may fail to flag these phishing pages as threats since they do not serve malicious content to everyone.
David Shipley, the head of a security awareness training firm, characterized this tactic as a form of spear phishing, albeit a more rapid-fire version. He noted that cybercriminals are moving away from mass phishing campaigns towards more targeted attacks to evade email gateways and increase their success rates.
According to Johannes Ullrich from the SANS Institute, defending against precision-validated phishing is challenging. Restricting JavaScript access and rate-limiting requests on mail servers are suggested strategies, but they may not be foolproof. Ullrich proposed using phishing-safe authentication methods like Passkeys as a more effective solution. He also highlighted the evolution of techniques used by attackers to verify email addresses over the years, from the “VRFY” command to bounce messages and obtaining information through unsubscribes.
Overall, the rise of precision-validated phishing underscores the ongoing threat posed by phishing attacks to organizations and individuals. It serves as a reminder for cybersecurity professionals to prioritize user awareness and report suspicious emails promptly. As cybercriminals continue to innovate and adapt their tactics, staying vigilant and implementing robust security measures is crucial in mitigating the risk of falling victim to phishing scams.