Beware of the email verification malware phish. Over the past few weeks we’ve seen a rise in this unconventional phishing method, which lets bad actors blast out malicious links en masse using tools that get more phish past email filters and directly into inboxes. This phishing scam basically hijacks the email verification process of legitimate services. Learn how to identify this malware-loaded email verification phish and stay off the hook!
They don’t look like much, but email verification malware phish are effective. Using automation tools, threat actors pretend to sign up for a legitimate online service that requires email verification. But when creating new accounts, they enter a malicious link in the “first name” field, followed by the potential victim’s real email address in the email field. Automation lets them do this with countless emails at a time.This phishing scam's message can seem laughably obvious to most, but its sheer carpet-bombing volume makes it dangerously effective. Unlike personal Outlook or Google accounts, when an email confirmation is sent to the victim by a legitimate service provider, it may more effectively sneak past filters and straight into inboxes. Here’s one we’ve seen recently making the rounds:
Example of this unconventional method being used in the wildThe example above contains so many red flags that you might wonder why anyone would fall for it.
Despite these inconsistencies, the email verification phish is effective. It requires little effort or skill to deploy. As such, some attackers favor a spray-n-pray approach like this over the time-intensive surgical precision of a BEC attack. This message could get through a million recipients’ spam filters around the world; just one percent of them copy-pasting the malicious link translates to ten thousand victims. And remember, just one click can bring down a whole company or network, or worse.While this method might not be as efficient as the more targeted and well-crafted phishing scams we see, it is effective enough. Moreover, it damages the reputation of many smaller companies who are used by bad actors for scam campaigns. To combat this a company could, for instance, restrict special characters from being typed into the name fields of registration forms. All links, malicious or otherwise, require special characters.
Always be on your toes with email verification messages. When receiving an email notification like this, consider:
Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.