By Itamar Gur, Cyber Threat Intelligence Analyst
Phishing is already near or at the top of every organization’s security concerns. It’s the foothold attackers use to exploit businesses and users alike by stealing credentials or personally identifiable information (PII) for account takeover attacks and fraud campaigns, distributing malware, attacking high-value corporate VIPs and executives, and more.
But as security teams and threat hunters chase down threat activity as it emerges across the open, deep, and dark web, attackers have to get creative to evade detection. In the first half of 2023, BlueVoyant’s expert cyber threat analysts began investigating one such tactic that they first identified in 2020 but has now dramatically increased in volume: third-party phishing.
How Does Third-Party Phishing Differ from Traditional Phishing?
Third-party phishing is a phenomenon targeting hundreds of global financial institutions using intermediary sites impersonating a brand or entity users trust, before redirecting them to a phishing page. By impersonating an ostensibly unrelated brand, threat actors can better evade detection, while collecting credentials and PII from customers of a wider array of companies.
While phishing scammers use different distribution methods to lure in unsuspecting victims – phishing emails with links to their sites, links posted on social media platforms, etc. – the end goal of tricking a user into entering their login credentials, payment card information, or other personally identifiable information (PII) is always the same. Later, the threat actor collects these credentials and sells them or uses them to defraud the victim.
Third-party phishing sites, on the other hand, will include some characteristics of the original flow, with an added step – the initial impersonation that establishes credibility to the end user is a service that is not connected to the targeted organization. Furthermore, the third-party phishing page itself won't ask the victim to submit their personal credentials. The fraud occurs in the final phishing page to which the client has been redirected, impersonating the chosen financial institution.
How Does Third-Party Phishing Impact Security Teams?
Third-party phishing adds a new wrinkle to the oldest trick in the book. Intermediary sites directing victims to various phishing sites provides two benefits to attackers: it allows them to cast a wider net and catch more fish (so to speak), and it provides another degree between them and threat hunters who may be on their trail.
Organizations now need to not only monitor cyber threat activity targeting their own domains; but for third-party phishing attempts making use of an intermediary to direct traffic to a different phishing page that may be harder to detect on its own. The increased risk associated with one website acting as a gateway to dozens of financial institutions is substantial, and security teams will need to increase their efforts to find third-party phishing sites that could be targeting them and many of their peers.