"The bouncer phishing kit targets a preset email list for each campaign. A user ID value is generated for the targeted recipients, sending them a unique URL for access to the attack," Limor Kessem, Cybercrime and Online Fraud Communications Specialist at RSA, explained in a blog post.
"Here’s the interesting part – much like a night club’s bouncer list – any outsider attempting to access the phishing page is redirected to a '404 page not found' error message. Unlike the usual IP-restricted entry that many older kits used, this is a true—depending on how you look at it—black hat whitelist."
As other, non specified potential visitors are "turned away", those at whom the attack was aimed are immediately faced with an attack page on the same hijacked website. The credentials submitted to and collected from this page are sent to the attackers.
Kessem points out that the kit is perfect for "laser-focusing" a spear phishing campaign and can be easily used in APT-style attacks.
The phishing campaign that brought the "bouncer" kit to the researchers' attention targeted some 3,000 recipients. The list of the targeted addresses contained a "mixed bag of webmail users, corporate addresses, and even some bank employees – which indicates that it was likely an aggregation of a few spam lists or data breach collections."
Apart from keeping a critical mind when perusing emails and evaluating login pages, there is not much targeted users can do to stop such attacks.
Kessem advises webmasters to make an effort to prevent attackers from easily hijacking their websites. Unfortunately, there are always those who don't know how or don't care about it, and "unguarded" sites will often "fall" and become compromised.