Adaptive phishing campaigns tailor messages using personal data gathered from social media, public sites, and past breaches to fool victims. The Italian-targeted “My Slice” campaign used a customized, branded landing page to steal credentials, underscoring the need for awareness and stronger defenses against sophisticated social-engineering attacks. Hashtags: #MySlice #CertAgiD #ElinaJaguar #ItalianOrganizations
Keypoints
- Adaptive phishing campaigns collect victim information from social media, public sites, and breaches to craft convincing lures.
- Social engineering using personal details (names, roles, company info) increases the likelihood victims will engage with the scam.
- These campaigns can reach victims via email, text, social media, or phone calls and exploit current events to prompt rapid action.
- The “My Slice” campaign targeted Italian email account holders with a highly customized phishing page impersonating a legitimate provider.
- The phishing page collects credentials via a POST form, sending data to a manned server on the same domain.
- Attack steps include passing the target’s email as a URL parameter, extracting the domain with JavaScript, fetching the logo from Clearbit, and redirecting to the target’s home page.
- Defense recommendations emphasize awareness, training, anti-phishing filters, and AI-based threat detection to mitigate adaptive phishing.
MITRE Techniques
- [T1589] Gather Victim Identity Information – Attackers collect information from social media, public sites, and breaches to tailor attacks. [‘attackers gather specific information about victims through various sources, such as social media, public websites, and previous data breaches. This data is then used to tailor attacks’]
- [T1566.002] Spearphishing Link – The email urges recipients to check their account status via a support page, directing them to a phishing landing page. [‘The e-mail message attempts to pass itself off as support from its company, which warns the caller that the memory limit of his e-mail account has been exceeded. To remedy the problem, the message invites you to check the status of your e-mail account via the proposed support page’]
- [T1036] Masquerading – The landing page is highly customized to resemble the targeted organization, with logos and names to appear legitimate. [‘The propounded web page is highly customized … and looks like a form with logos and names of the targeted organization’]
- [T1056.003] Credential in Web Form – Victims submit credentials through a web form, which posts to a malicious server. [‘the information entered in the form is sent via a “POST” method to a manned server listening on the same domain’]
Indicators of Compromise
- [URL] context – https://elinajaguar.com/wp-admin/index.html (phishing landing page), https://logo.clearbit.com/example.com (logo lookup service used in the page)
- [URL] context – https://urlscan.io/result/08e72fcf-0f89-46c2-864c-f4d404764358/, https://urlscan.io/result/232d8b5f-aead-4064-8451-2b4d37d5c2a3/ (IoCs for the campaign)
- [Domain] context – elinajaguar.com, example.com, www.example.com (domains used to impersonate and redirect)
Read more: https://securityaffairs.com/157914/cyber-crime/my-slice-aitalian-adaptive-phishing-campaign.html