Cyber criminals are constantly evolving their attacks and tweaking methods that work.
One phishing attack method that attackers have recently been using is clone phishing.
It is effective!
When we use this attack on social engineering engagements, we typically get a 50% click rate.
What is clone phishing?
Clone phishing is a type of phishing attack in which an attacker copies the content of a legitimate email and weaponizes it. Usually, this is done by changing a link in the email or replacing an attachment with a malicious version.
You’ve probably seen generic phishing emails.
They are usually wreak of phishing – the font, spelling errors, etc.
Most people catch these nowadays.
So attackers have morphed and are using pretty stealthy techniques.
One of these is clone phishing.
How cloning phishing attacks work
Clone phishing can be done as a type of spear phishing or sent in mass.
It depends on what the attacker is trying to accomplish.
Either way, clone phishing works the same way.
First, the attacker will spoof or otherwise replicate the faked sender’s email address.
This can be done via spoofing the email headers or using visually similar domains.
Spoofing email headers
We won’t get into the full explanation here, but there are two types of addresses in an email.
A return address and a sender’s address.
When an attacker spoofs your email address, they are typically swapping the sender’s address to make it look like it came from someone else.
Visually similar domains
The other common way that attackers spoof the sender is by using a similar domain.
For example, if your company URL is company.com, an attacker may purchase and use c0mpany.com with a 0 instead of o.
This method is often more successful since it can bypass spam filters many time.
After the attacker has a way to spoof an email address and actually deliver it, they work on the cloned part.
This is actually quite easy to do.
Let’s say an attacker wants to clone a Google new login alert email.
All they have to do is copy the html from the email and paste it into the one they are creating.
Then, they will change the URL or the attachment out with the malicious one.
If they are sophisticated, the attacker may then send you to a cloned website to capture your login credentials.
Don’t worry, there’s a simple way to prevent this that we’ll discuss further down.
To avoid your company’s email address being spoofed in attacks against other organizations, you should implement SPF, DKIM and DMARC controls. Check out our post here to learn how SPF, DKIM, and DMARC authentication protocols work.
The different types
There are typically two ways that an attacker will go about clone phishing attacks.
The first way is to clone an email with a link.
Say an email from LinkedIn about a connection request.
But they would edit the link location so that it goes to a phishing site.
If done correctly, this method is unfortunately very successful.
The second method an attacker could use is to attach a malicious document.
Let’s use an example of a sales department.
If the attacker interacts with the sales department and receive an email with a quote attachment, they could reply to the email with a different attachment.
The attacker could create a malicious document with the same name and add it as the attachment when they reply.
Obviously, if the email security doesn’t catch it and the recipient opens the document, things could go badly.
Ways to identify clone phishing
Now that you understand clone phishing attacks, they probably seem pretty scary.
But there are actually some pretty simple ways to identify them.
In fact, they are the same ways you can identify any type of phishing.
- Check the URL – whenever there is a link in an email, hover over the link to see the address that it is going to. If the link is shortened (bit.ly, etc) that’s a concern. Alternatively, if the application you’re using doesn’t support link viewing, you can right-click and copy the link location. Then, go to browserling.com and paste the URL to view the page within a virtual machine.
- Look for misleading domains – always be on the lookout for misleading domains in emails. It is very easy and cheap for attackers to purchase misleading domains to use in social engineering attacks. Whenever you are reading and replying to emails, check out the domain quickly. If it’s different than the one you usually see, something is wrong.
- Password manager won’t fill – password managers have many security benefits. If you are ever at a site and your password manager won’t automatically populate your credentials, investigate the site’s URL. It’s possible that you are at a phishing site and not the legitimate one.
If you are thinking that this clone phishing sounds like pretty sophisticated stuff, don’t worry.
There are simple security measures that you can implement to avoid becoming a victim.
- Phishing awareness training – one of the best ways to avoid clone phishing attacks is user training. Train your employees about attack methods that attackers use so they can catch them. Adding phishing training to your campaign is typically more effective.
- Email authentication protocols – if you haven’t already, you should set up SPF, DKIM, and DMARC. These protocols can prevent your domain being faked. Not only does this help the organizations you do business with, but it can stop attackers from spoofing your own domain to your employees.
- Firewall & Email security solutions – you should have some kind of security solution inspecting emails. They can identify malicious attachments, known bad actors, potential phishing and much more.
- Out of band verification – use an “out of band” verification method to check documents or requests in emails. If something looks off, trust your instinct. Pick up the phone and call the individual who allegedly sent the email. Use a phone number that you have or find somewhere other than the email. This is one of the best ways to stop spear phishing attacks.
Clone phishing is stealthy.
Attackers have morphed and it’s of the types of phishing that they have added to their tool bag.
It’s important that you have security controls in place to prevent it and that your employees are aware of the threat.
Awareness is one of the best mitigations for social engineering.
Have you been the victim of clone phishing?
Or are you going to implement a control to prevent it?
Leave a comment and let me know.