Our website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Avanan Report: Using geotargeting to customize phishing

by Staff GBAF Publications Ltd
0 comment
man using digital device make payments online shopping and icon customer network conne SBI 301984815

In a global marketplace, the ability to geotarget is huge. Essentially, it means that businesses can tailor their advertising to the recipient’s location. Someone in New York may get a different ad than someone else in France. That makes the ads more valuable for businesses, and more personalized for consumers.

There’s another group of people who want to personalize their offerings – hackers. This allows hackers to send one message to different people across the globe, providing geo-specific phishing content. This allows the threat actors to send custom phishing by language and region to their intended target. 

In this attack brief, researchers at Avanan, a Check Point Software Company, will discuss how threat actors are geo-targeting websites to advance their phishing schemes. 


In this attack, hackers redirect users via Geotargetly, a geo-targeting platform, and provide them with customized, localized phishing pages. 

  • Vector: Email
  • Type: Credential Harvesting, Redirect
  • Techniques: Social Engineering, Impersonation, Geotargeting
  • Target: Any end-user

Email Example #1

This email is in Spanish and was sent originally to users in Colombia. Here’s the rough translation.

Subject: Notification of subpoena for excess of maximum speed allowed on urban roads of 60 km/h


Use the Virtual Appearance button (virtual hearings and payment settlements) or request the settlement by email

Link: SEE COMPARED 24755693025


When the user clicks on “See Compared”, the end-users will be redirected to a page hosted on GeoTargetly. GeoTargetly is a legitimate website that allows advertisers to redirect users to pages and ads in their local markets. For example, a New York-based viewer would get something in English, localized to New York. Someone in France will get a page in French.

In this example, the original email starts in Colombia, and so if the user is in Colombia, they will be redirected to a Colombian government look-a-like page. Here’s where it goes:

If they are in Argentina, they will be redirected to an Argentinian page. And so on.

The original email is essentially about a local traffic ordinance–which may not be enough to get people to click. However, the email itself is not what’s interesting–what is interesting is the ability for hackers to customize their attacks by region, and to attack multiple users in multiple parts of the world at once. 


Spray-and-pray is a common technique of threat actors. The idea–throw a bunch of things at the wall and see what sticks. The name of the game is volume, and criminals are hoping for a few successful phishes here and there.

The attack above is a different kind of spray-and-pray. It allows for the ability of hackers to target a large number of people at once, and ensure that it’s relevant, and localized. It’s spraying without the praying. 

Using the Geotargetly redirect, a hacker can create a phishing link that redirects users in a certain region to a fake login page that looks identical to the original one. This personalization increases the chances of a user falling for the attack. The redirect is legitimate and the content would be relevant to their language and region. 

This has increased the likelihood that spray and pray campaigns are working and would allow hackers to operate on a global nature seamlessly. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Check URLs in email and in browser before proceeding
  • Confirm with IT if the site is legitimate