Clone phishing takes an existing email template and turns it into a malicious email with a simple bait-and-switch, such as changing a legitimate link to a malicious one. The phishing email is cloned from a legit email that a victim has received before, perhaps from a real service or a colleague. Cloning an email exploits the feeling of trust from a familiar email exchange.
What is clone phishing?
It’s more complex than sheer duplication. The attacker can start the email with a pretext that justifies the re-send. Explanations we’ve seen are along the lines of “sending this again because I needed to update the attached file,” or “I forgot to add this in the original email.“ You can be sure they will find a suitable explanation and if not, they trust your curiosity will take care of the rest.
In addition to impersonating emails from a co-worker, a clone phish could mimic communications from a service provider. Let’s say the place where you work uses Github and you receive emails from Github daily. You are accustomed to these emails and click on them without thinking too much. You probably already guess where I’m going with this.
One day an attacker gets a hold of one of these messages, and suddenly they know what you are used to seeing. With small effort they can turn that into a malicious email and send it to you, pretending to be from Github. This is why the habit of hovering over links is so important. Hovering-as-a-reflex saves you from getting phished because why else would you spend time to verify something that doesn’t seem suspicious at all?
How attackers get access to the emails that they clone is a matter in itself. When cloning service emails like the one from Github, the attacker has at least two options. They can search online for templates, or they might receive these types of notifications and emails themselves.
Cloning personal emails is harder for hackers than cloning messages from an online service. The cloning itself is easy, but access to them is not. As those emails should be visible between you and whoever you’re messaging, additional third-party access would indicate you or your friend's account has been breached. And if your account is already breached, the attacker's objective should in theory be completed; or they’ll use your account to clone and send emails further along to others if you weren’t their final target. And if someone else in your network has been breached, their account can be transformed into full-on clone phishing farm. Recognizing a phish that comes from a legitimate source is extremely hard.
Clone phish can have a zombie element. Even after a breached has been secured, an attacker could still bring old email conversations to life with this technique. This type of clone phishing is of course more rare than other types of phishing.
Fun fact: Emotet malware - one of history’s biggest botnets - spread by essentially using clone phishing with a twist. Once infecting a device, it would send a copy of itself to old email conversations from that machine’s email client. To the victim, it would appear that a trusted email conversation had been revived, and an attachment should be downloaded.
BEC scams (business email compromise) are on the rise and for good reason. They are very effective! A BEC scam is when someone breaches a business account and they use it to send malicious emails. Its effectiveness hinges on the trust that the business has established for itself. Combining BEC scams with clone phishing renders a serious weapon. Just like in the case of Emotet, it is very hard to tell if the email is malicious when it comes from a trusted source. And in the case of a clone phish, the familiar context makes the attack even more convincing.
Clone phishing could as well be called Copy phishing because the attacker copies an existing email and adds their own evil twist to it. Quite literally most of the work consists of “CTRL + C” and “CTRL + V” combos. In addition, they are much harder to identify as phishing emails and thus wreak more havoc than your average phishing email. But if it’s so easy, why don’t we see more of it?
One reason is that acquiring access to targeted emails is difficult. As previously mentioned, you need access to someone's account to know what kind of emails they send and receive. It might even defeat the purpose as you wouldn’t send phishing email to someone whose account you already have access to. However, this just highlights the importance of your own account security. Even if you wouldn’t have access to the content that the attackers want, they can still take advantage of the trust you’ve built with others.
On the other hand, getting access to commonly sent emails from online services is much easier. You could sign up for a service and get yourself a copy of their email template. But is this kind of an email something you would immediately click on when receiving your second “Welcome to Reddit” - email? First of all it would seem off, and secondly it’s not that interesting. Of course the attackers can send other types of messages but without modifications to them, they might be easily discarded as spam. That’s why the most common type of phishing is to impersonate a real service, but amp up the emotional charge of the message. No matter how popular, it’s not really considered clone phishing anymore.
Even if cloned phishing attacks are more difficult to notice than others, they still have some of the same weaknesses. The most important indicator is the fact that links will lead to websites that are either malicious or contain links to malicious sites. This is something even a BEC combined with clone phishing can’t hide. And if the email doesn’t have link but an attachment instead, it should raise a healthy amount of scepticism. Always handle attachments them with caution and never open executables or enable macros in office documents.
If somebody only has a copy of an email you might have received, they can only send it from an address they have access to, or try to spoof it. Spoofing the sender means it will likely get caught by your email filters, or get sent to your trash folder. Also be mindful of the context! If the email is supposedly a part of a conversation, then why isn’t it in the same email thread? The attacker can’t send the email into the same email thread as the real message, if they don’t have access to that account. And in the case of a breached account, you can look for other clues like links.
We at Hoxhunt do have a threat feed newsletter. It showcases the latest threats that have bypassed technical filters and were reported by Hoxhunt's human detection network of over a million users. Those reported threats are automatically analyzed and categorized for prioritization and SOC response by our unique machine learning model. These are the threats at the vanguard of the constantly-evolving threat landscape. You should sign up! And if you want more info — and a way to put that data to work — please check out our response platform.