publishing date icon
August 11, 2021
read time icon
5 min. read

A phish named malware: Email verification scam

Author image
Jon Gellin
Junior Threat Analyst
Post hero image

Table of contents

share this post

Email verification malware phish: Malware is its first name

Beware of the email verification malware phish. Over the past few weeks we’ve seen a rise in this unconventional phishing method, which lets bad actors blast out malicious links en masse using tools that get more phish past email filters and directly into inboxes. This phishing scam basically hijacks the email verification process of legitimate services. Learn how to identify this malware-loaded email verification phish and stay off the hook!

Corrupting a legitimate service

They don’t look like much, but email verification malware phish are effective. Using automation tools, threat actors pretend to sign up for a legitimate online service that requires email verification. But when creating new accounts, they enter a malicious link in the “first name” field, followed by the potential victim’s real email address in the email field. Automation lets them do this with countless emails at a time.This phishing scam's message can seem laughably obvious to most, but its sheer carpet-bombing volume makes it dangerously effective. Unlike personal Outlook or Google accounts, when an email confirmation is sent to the victim by a legitimate service provider, it may more effectively sneak past filters and straight into inboxes. Here’s one we’ve seen recently making the rounds:

email verification malware phish

Example of this unconventional method being used in the wildThe example above contains so many red flags that you might wonder why anyone would fall for it.

  • The link, located after “Dear,” must be copy/pasted into the URL field of a browser; no hyperlinks can be in the “first name” field
  • It is a totally random link that looks nothing like a name
  • There’s no instructions to copy/paste the malicious link from the “first name” field to a browser window
  • The service itself is most likely unused by, and unknown to, the recipient

Quantity over quality

Despite these inconsistencies, the email verification phish is effective. It requires little effort or skill to deploy. As such, some attackers favor a spray-n-pray approach like this over the time-intensive surgical precision of a BEC attack. This message could get through a million recipients’ spam filters around the world; just one percent of them copy-pasting the malicious link translates to ten thousand victims. And remember, just one click can bring down a whole company or network, or worse.While this method might not be as efficient as the more targeted and well-crafted phishing scams we see, it is effective enough. Moreover, it damages the reputation of many smaller companies who are used by bad actors for scam campaigns. To combat this a company could, for instance, restrict special characters from being typed into the name fields of registration forms. All links, malicious or otherwise, require special characters.

4 tips to spot email verification malware phish

Always be on your toes with email verification messages. When receiving an email notification like this, consider:

  • Are you expecting the email? If not, be extra careful!
  • Is it correctly personalized with your name?
  • Does the message body look odd? Is anything out of place?
  • Only visit links when necessary, and even then, remember to hover over the links to verify that they lead to the right address!
  • Do not use your work email to sign up to services you use on your personal time.
  • Only sign up for the bare necessities in terms of services. This keeps the amount of spam you receive at a minimum, which makes sorting out the malicious emails much easier!

Hoxhunt response

Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.

Explore more phishing types

Subscribe to All Things Human Risk

Subscribe to our newsletter for a curated digest of the latest news, articles, and resources on human risk and evolving phishing threats in the ever-changing landscape.

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.