I’ve run a few phishing exercises from spoofed email addresses. I they get through a company’s mail server (they shouldn’t, that’s what SPF, DMARC etc are meant to protect you against), someone always clicks on a link. This use of the work ‘polymorphism’ is about how phishing attacks then harvest credentials…:
[…] In a polymorphic phishing attack, attackers usually make minor alterations in the sender ID of a valid source or spoof an email address. They use social engineering attack techniques to make sure that the spoofed email ID replicates the authentic ID. The hackers then send these malicious emails to the employees in reputed organizations. More often than not, the email lands into the inbox of employees due to the lack of proper email authentication protocol in the company.
The most probable reasons for the increase in the number of spoofed login pages may be due to the following two reasons:
- CISOs, CIOs, and SOC analysts of the reputed brand whose landing page has been spoofed seek ways for taking the fake pages down. This makes the hackers create more new pages so that it can continue to spoof employees.
- Certain brands or companies may be an easy target for cybercriminals due to the lack of a well-rounded workplace security policy in their organization. This is the reason why attackers get away with polymorphic phishing attacks.
How to Detect Spoofed Login Pages?
While it may be difficult to detect spoofed login pages and prevent being phished, there are certain ways by which one can attempt to understand whether a login page is from an authentic source or not. Before being redirected to a login page it is always advisable to check whether the email is from a valid IP address as well.