What Is Clone Phishing?

As more organisations educate users on phishing, attackers find new ways to bypass their training and trick users into falling for credential theft. Clone phishing, similar to thread hijacking, is a newer type of email-based threat where attackers clone a real email message with attachments and resend it pretending to be the original sender. The attachments are replaced with malware but look like the original documents.

Let’s say that you have a business process where you send a document to a customer in an email, have them sign it, and then the customer sends the document back in an email. Using clone phishing, an attacker sends a message or begins the process of receiving an email from your business. When the reply message is sent, the attacker switches out the legitimate document attachments for a virus. If your employees are unable to detect malicious email attachments, they might be tricked into installing malware on their machines.

Clone phishing doesn’t always work with email message replies. Sometimes, the attack is carried out by copying an email message commonly sent by a known business entity and sending a targeted recipient a copy of the legitimate email. This malicious email contains malware attachments used to install rootkits, ransomware, or any other form of software used to steal data.

The way an attacker gets the original message depends on the way you do business. You could send a welcome email message to every user who signs up for a newsletter or send a PDF document for users to sign to approve transactions. Another avenue of opportunity is using customer service email messages. The attacker contacts customer service and replies with a message that contains malicious content.

Regardless of the initial message, clone phishing is often successful since recipients receive a reply to a legitimate email rather than a new message in a standard phishing attack. Email filters will also more likely allow a malicious reply since it’s sent from a legitimate user and sent using legitimate channels.

Some clone phishing attacks target specific users, but attackers will often send several messages at the same time to random employees. It only takes one employee to fall for the attack to compromise an organisation’s network. Ransomware is one of the most common malware attacks used in clone phishing, but the payload from the malicious attachments could be anything from rootkits that give anyone access to the employee’s machine remotely or simple keyloggers that steal passwords.

Clone phishing is much more difficult to detect than a standard phishing message. In a standard phishing message, the content is usually poorly written and comes from an unknown source. With clone phishing, the user recognises the message, making it easier for the attacker to trick the recipient.

As an example, most users are familiar with the way a PayPal message is structured. PayPal sends balance emails every month for users with finance accounts. An attacker might clone a PayPal message telling the recipient that their balance must be paid. Instead of linking to the legitimate PayPal site, the button points to an attacker-controlled server spoofing the PayPal website.

In a business example, suppose that you have a message sent every time a reader signs up for the corporate newsletter. The message has the reader’s email address with any messages and attachments they might send you. An attacker might copy the message you normally receive and replace links with ones that point to a site to trick users into divulging their credentials or downloading malware.

Clone phishing is often sent from a legitimate email address, so no email spoofing is necessary (although sometimes spoofing is used as well). Since the email is from a legitimate address and not spoofed, the message is also passed to the user’s inbox regardless of the cybersecurity in place to stop malicious email messages.

It’s always a challenge for employees to recognise a legitimate email from a cloned one. The challenge for security teams is to educate users through security awareness training programmes on the many ways attackers use the email system to compromise a business network. Detecting a phishing email requires human intuition and the ability to detect nuances related to phishing attacks.

If an email is strangely worded or plays on a user’s sense of urgency, it could be a phishing attack. Cloned emails might have good grammar and spelling, but most strategies involve pushing a targeted recipient into performing an action without first thinking about its implications. Usually, users realise an email is a phishing attack when it’s too late and after they install malware or leak their credentials.

Any email that wants users to take quick action without giving them time to think about consequences should be dealt with accordingly. Attackers will threaten users with account closure, money loss, or legal issues to push them into falling for the clone phishing email. An email might have a malicious link telling users to click it and log in before losing their account or reply to the email with sensitive information or face job loss.

Instead of clicking on links, users should type the domain into their browsers. Links lead to a few different types of phishing pages. The link might point to a page that looks like an official company’s authentication page in an effort to trick users into divulging their credentials. It might point to a page that looks like a third-party authentication page such as Google or Office 365. Another option might be pointing to a page that downloads malware on the targeted user’s device.

Messages in a clone phishing attack are never the same, but they often have similar elements. The message usually has wording that makes it seem like an urgent issue, and it has a malicious link or file attachment.

The following is an example message:

Subject: Urgent issue with your account
Message: Hello, thank you for contacting Fake Company with your request. Click here to read the message from our customer service representative. [insert malicious link]

In the subject line, the message conveys a sense of urgency to the recipient. The message pretends to be from an official company, and it’s a clone of the fake company’s automated customer service message. 

An attacker will send this message to potentially thousands of people hoping to get credentials that will be sold on darknet markets.

Both clone and spear phishing have some similarities, but they have distinct differences and strategies. They are both effective at compromising a business environment, but they have distinct strategies. In both cases, businesses need effective cybersecurity training to empower users to better detect them.

Spear phishing strategies target high-privilege users. An executive, HR employee, accountant, or network administrator are examples of high-privilege users. High-privilege users are those with extensive access to sensitive data. With these credentials, an attacker gains access to valuable information that could be used to sell on darknet markets.

Another advantage of high-privilege access is the ability to scan the network with elevated authority. Ransomware or rootkits running on high-privilege credentials might have access to shared storage spaces that would otherwise be blocked on lower-privilege accounts.

Clone phishing might use elements of spear phishing, in that it might target high-privilege users, but standard spear phishing uses any message. In a clone phishing attack, the message is a familiar one used by an official business or by the targeted business itself. The message might be a reply from an automated message sent by the targeted business, or it could be a clone of an official message of a business the targeted organisation works with.

Corporations can take several cybersecurity steps to stop clone phishing attacks. It’s a challenge for users to identify malicious email messages and leaving cybersecurity to human interception increases the risk of failure. Insider threats are a significant cybersecurity issue, and phishing email messages are a primary vector for gaining access to an environment. Preventing a successful phishing attack involves employee training, email cybersecurity, and access controls to limit the damage.

Email filters stop phishing messages from reaching the targeted recipient. Instead of relying on human intervention, email filters block potentially malicious email messages. The messages are quarantined, and an administrator can review them and determine if it’s phishing or a false positive.

Users can also take part in good email cybersecurity, but they must be trained to identify phishing emails, this can be done through security awareness education. Even with the best training, a user not paying attention to signs could fall victim, so do not use training as your sole defence. Users should be trained to look at sender addresses and verify the legitimacy of an email message by either calling the contact or sending a direct email to the contact for verification. Never click links embedded in the email. Instead, type the domain into your browser.

If a user identifies a phishing email, send a message to administrators or whoever is in charge of email to alert them to the threat. If the organisation is a target for attackers, more users could receive the same malicious message. Administrators aware of the attack can take necessary precautions and send a warning message to all employees within the organisation.