Geotargeting tools are allowing phishing campaigns to home in on potential victims

Hackers are using geotargeting tools to tailor phishing attacks to specific locations, according to research published Thursday.

Researchers from security company Avanan said they have found evidence that phishing actors are using Geo Targetly — a tool deployed by businesses to customize advertising based on a recipient’s location.

“In this attack, hackers redirect users via Geo Targetly … and provide them with customized, localized phishing pages,” the researchers said.

In one email shared by Avanan, the phishers sent a message in Spanish about a subpoena for speeding. Included in the email was a link that took victims to a page on Geo Targetly.

The platform determines a user’s region without the user’s knowledge and redirects them accordingly. 

Using Geo Targetly, hackers can create phishing links that take users in certain regions to fake login pages that look identical to legitimate ones.

The researchers said the personalization makes it more likely that victims will fall for an attack and click on a link.

“The redirect is legitimate and the content would be relevant to their language and region,” they said.

“In this example, the original email starts in Colombia, and so if the user is in Colombia, they will be redirected to a Colombian government look-a-like page. If they are in Argentina, they will be redirected to an Argentinian page. And so on.”

The tool allows hackers to attack multiple users in multiple parts of the world at once. This capability will give hackers more reason to invest in “spray-and-pray” methods, in which they throw thousands of phishing emails out and see what comes back, the researchers said.

The researchers urged people to check the URLs in emails and in browsers before proceeding.

Like a URL shortener

Jeremy Fuchs, cybersecurity researcher and analyst at Avanan, said the method was “a fairly widespread attack” and noted that this is the first time the company has seen the Geo Targetly service used.

Fuchs said Avanan had not contacted Geo Targetly about the issue because “it's not a vulnerability in their service."

In a statement to The Record, a spokesperson for Geo Targetly confirmed hackers have used the service to target phishing attacks at users in specific countries and regions.

Geo Targetly argues that the Geo Link service is effectively a URL shortener similar to Bitly that can route to different URLs based on user location.

The spokesperson said it is common for hackers to hide the final destination URL behind a public URL-shortening domain — a problem “faced by many other URL shortening companies such as Bitly and smartURL.”

“We have also seen an increased amount of phishing attacks conducted this way in the crypto industry after the recent popularity in this sector,” they said.

“As this is a concern from our end over the past several years, we have actively taken steps to combat this. We run URL malware and phishing scanners such as Google Safe Browsing on every URL created in our Geo Link product. Any detection of malware or phishing URLs automatically disables the Geo Link.”

The company admitted, however, that these efforts are not “100% bulletproof” because hackers can still create a newly hosted website that has not yet been classified as related to phishing or malware by antivirus vendors.

The company recently removed the Geo Link product from its free trial and said this “substantially” reduced the use of the product for phishing purposes.

One other effort the company has made to limit abuse is mandating that the creation of new accounts can only be done with legitimate company domain email accounts.

“Nevertheless, we still see hackers paying for our service for this purpose and hence we manually check through URLs created in our system to identify such bad actors,” the spokesperson said.

“We are continuing to identify methods to detect such phishing URLs including the use of AI. Once we become aware of bad actors in our system we immediately disable their account including blocking their credit card to prevent any further payments.”