Buggy phishing attack accidentally reveals how cyber criminals personalize messages to elude detection by filters

Post hero image

Table of contents

Vishing, or voice phishing is a form of phishing which typically happens over the phone. In vishing, the malicious actor uses social engineering techniques to lure the victim into sharing sensitive information or to perform an action benefitting the attacker. Vishing attacks come in many shapes and sizes, some attackers pray on the old folk posing as IT-support, while others impersonate CEOs requesting large wire transactions.

This attack starts off with an email. The email informs the recipient about an order renewal being billed from their account. The recipient of course does not recognize the order and wishes to cancel it. Conveniently, the email contains a bolded phone number just for this purpose!

When called, the malicious actor will read a script requesting the caller for all sorts of personal information, often also containing financial details “required for service cancellation”.

In this case however, the malicious actors did not get it quite right. In an attempt to mix things up a bit, potentially to better elude automatic detection by spam filters, the malicious actors have configured multiple fields to contain random variables. Fortunately, something went wrong and the recipient was able to see which parts of the email were going to be personalized.

Personalized fields included information such as the product name, phone number and location, allowing the malicious actors to better cater different regions. By personalising the email to e.g. mention products recognised in a certain part of the world, the efficiency of the campaign is increased.

Off the hook – How to detect the attack and protect your organization from it

Be vigilant with unexpected emails and aware of the fact that malicious actors personalize their attacks using information that matches their victims (e.g. location, name, local phone number) to evade both your suspicion and spam filters

Also be aware of social engineering techniques such as vishing and refuse giving out financial or personal details via phone. Hang up if you suspect something is phishy.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this