In a world where consumer friendly, easy to use software which allows for the development of anything from mobile phone applications to websites it should be no surprise that tool kits aimed at making phishing attacks easier than ever before are appearing on a daily basis. These ‘phishing kits’ are usually not around for any length of time. It doesn’t take long before security vendors or internet providers – often cooperating with authorities take them down or blacklist the sites created using these phishing kits.
A recent study by Imperva provided information on the methods used by phishers when they develop phishing kits that allow for the development of phishing web sites in what has been called an ‘easy to deploy’ format. The study examined over 1000 of these free ‘phishing kits’ in an effort to get under the skin of what can now be characterized as an increasingly complex and rapidly maturing phishing industry.
Phishing attacks are not going away anytime soon – in fact the problem is getting worse – in part due to the increasing availability of phishing kits that make developing sites that provide a vital resource for those engaged in this activity relative child’s play.
Phishing attacks – Specialized skillsets in play
Some of the findings of the study might surprise security experts. This includes the fact that phishing exhibits many of the attributes of a diversified industry. Whereas in past years, phishing ‘projects’ were the domain of highly skilled operators who would develop, execute and manage an entire phishing campaign and then reap the benefits of a phishing attack. Today the phishing domain is much more ‘role-based’. The new approach sees many teams with different skillsets fulfilling different roles. The modern cybercriminal now subcontracts portions of the project (like building phishing sites) and focuses on large scale exploitation of the data such as passwords that are gathered, thus increasing revenue.
DIY – The phishing campaign revolution
There can be no doubt that phishing is evolving. There is now a closer relationship between phishing technology developers and those who run the phishing campaigns. This has led to the proliferation of so called ‘DIY Phishing Kits’. The attraction of these kits is that they dramatically reduce the costs and labor involved in the development of phishing campaigns. The knock-on effect of the availability on the Internet of free phishing kits has been the lowering of the barriers to entry for those who wish to engage in phishing activity. These kits make it extremely easy to create a copy or copies of target websites and steal valuable information – and they are evolving at a rate which makes ongoing protection against phishing almost impossible. It is becoming apparent that all security professionals can do is be reactive and deal with phishing attacks as and when they occur. An analogy between the flu virus and phishing is apt – develop a vaccine against the flu and it is well-nigh useless when the next iteration of the virus strikes again.
Nothing in life is free
When the aspirant (read: naïve) phishing campaigner sources a phishing kit for free they are going to get exactly what they pay for. What they are in fact doing in most cases is providing the developer of the kit with a back door to the information the campaigner is gathering. They are in essence unpaid data gatherers. Even factoring in the cost of developing the kit the developer has the opportunity to enjoy an incredible return on investment. The study surmises that this is the main reason behind the spread of free phishing kits on underground sites.