"APT-Like Phishing Threat Mirrors Landing Pages"

A phishing campaign is tricking users into providing login information by using mirror versions of landing pages from target companies. The malicious actors can then use these stolen credentials to access a wealth of private or business files, as well as other applications and locations on the network, according to a report from security company Avanan. Attackers first send targets emails with a button to click, telling them it's time to update their passwords. That leads users to a phishing page with a pre-filled email address and a Google reCAPTCHA form that looks to be the company's Google domain, adding the appearance of legitimacy. The landing page is dynamically rendered, changing the displayed logo and background to correspond with the authorized domain from the user's email address. The phishing page will then either ask for the email twice as confirmation or use the credentials in real-time to check the password. The user will be taken to an actual document or the organization's home page if the password is good. In the meantime, a cookie is sent to the user's browser, making the phishing page "unreachable" and preventing any further investigation. This article continues to discuss the findings surrounding the new phishing campaign involving the dynamic mirroring of an organization's login page. 

Dark Reading reports "APT-Like Phishing Threat Mirrors Landing Pages"