In a global marketplace, the ability to geotarget is huge.
Essentially, it means that businesses can tailor their advertising to the recipient's location. Someone in New York may get a different ad than someone in France. That makes the ads more valuable for businesses and more personalized for consumers.
There’s another group of people who want to personalize their offerings–hackers. This allows hackers to send one message to different people across the globe, providing geo-specific phishing content. This allows the threat actors to send custom phishing by language and region to their intended target.
In this attack brief, researchers at Avanan, a Check Point Software Company, will discuss how threat actors are geo-targeting websites to advance their phishing schemes.
Attack
In this attack, hackers redirect users via Geotargetly, a geo-targeting platform, and provide them with customized, localized phishing pages.
- Vector: Email
- Type: Credential Harvesting, Redirect
- Techniques: Social Engineering, Impersonation, Geotargeting
- Target: Any end-user
Email Example
This email is in Spanish and was sent originally to users in Colombia. Here’s the rough translation.
Subject: Notification of subpoena for excess of maximum speed allowed on urban roads of 60 km/h
******* FOR MORE INFORMATION, A COPY OF THE SCHEDULE IS ATTACHED *******
Use the Virtual Appearance button (virtual hearings and payment settlements) or request the settlement by email
Link: SEE COMPARED 24755693025
KEY TO VIEW YOUR ATTACHED SUBMISSION KEY: 2023
When the user clicks on “See Compared”, the end-users will be redirected to a web page with a link that’s redirected by on GeoTargetly.
GeoTargetly is a legitimate website that allows advertisers to redirect users to pages and ads in their local markets. For example, a New York-based viewer would get something in English, localized to New York. Someone in France will get a page in French.
In the above example, the original email starts in Colombia, and so if the user is in Colombia, they will be redirected to a Colombian government look-a-like page. Here’s where it goes:
If they are in Argentina, they will be redirected to an Argentinian page. And so on.
The original email is essentially about a local traffic ordinance–which may not be enough to get people to click. However, the email itself is not what’s interesting–what is interesting is the ability for hackers to customize their attacks by region, and to attack multiple users in multiple parts of the world at once.
Techniques
Spray-and-pray is a common technique of threat actors. The idea–throw a bunch of things at the wall and see what sticks. The name of the game is volume, and you’re hoping for a few successful phishes here and there.
The attack above is a different kind of spray-and-pray. It allows for the ability for hackers to target a large number of people at once, and ensure that it’s relevant, and localized. It’s spraying without the praying.
Using the Geotargetly redirect, a hacker can create a phishing link that redirects users in a certain region to a fake login page that looks identical to the original one. This personalization increases the chances of a user falling for the attack. The redirect is legitimate and the content would be relevant to their language and region.
This has increased the likelihood of spray and pray are working, and would allow hackers to operate on a global nature seamlessly.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Check URLs in email and in browser before proceeding
- Confirm with IT if the site is legitimate