In a world where consumer friendly, easy to use software which allows for the development of anything from mobile phone applications to websites it should be no surprise that tool kits aimed at making phishing attacks easier than ever before are appearing on a daily basis. These ‘phishing kits’ are usually not around for any length of time. It doesn’t take long before security vendors or internet providers – often cooperating with authorities take them down or blacklist the sites created using these phishing kits.
A recent study by Imperva provided information on the methods used by phishers when they develop phishing kits that allow for the development of phishing web sites in what has been called an ‘easy to deploy’ format. The study examined over 1000 of these free ‘phishing kits’ in an effort to get under the skin of what can now be characterized as an increasingly complex and rapidly maturing phishing industry.
Phishing attacks are not going away anytime soon – in fact the problem is getting worse – in part due to the increasing availability of phishing kits that make developing sites that provide a vital resource for those engaged in this activity relative child’s play.
Phishing attacks – Specialized skillsets in play
Some of the findings of the study might surprise security experts. This includes the fact that phishing exhibits many of the attributes of a diversified industry. Whereas in past years, phishing ‘projects’ were the domain of highly skilled operators who would develop, execute and manage an entire phishing campaign and then reap the benefits of a phishing attack. Today the phishing domain is much more ‘role-based’. The new approach sees many teams with different skillsets fulfilling different roles. The modern cybercriminal now subcontracts portions of the project (like building phishing sites) and focuses on large scale exploitation of the data such as passwords that are gathered, thus increasing revenue.
DIY – The phishing campaign revolution
There can be no doubt that phishing is evolving. There is now a closer relationship between phishing technology developers and those who run the phishing campaigns. This has led to the proliferation of so called ‘DIY Phishing Kits’. The attraction of these kits is that they dramatically reduce the costs and labor involved in the development of phishing campaigns. The knock-on effect of the availability on the Internet of free phishing kits has been the lowering of the barriers to entry for those who wish to engage in phishing activity. These kits make it extremely easy to create a copy or copies of target websites and steal valuable information – and they are evolving at a rate which makes ongoing protection against phishing almost impossible. It is becoming apparent that all security professionals can do is be reactive and deal with phishing attacks as and when they occur. An analogy between the flu virus and phishing is apt – develop a vaccine against the flu and it is well-nigh useless when the next iteration of the virus strikes again.
Nothing in life is free
When the aspirant (read: naïve) phishing campaigner sources a phishing kit for free they are going to get exactly what they pay for. What they are in fact doing in most cases is providing the developer of the kit with a back door to the information the campaigner is gathering. They are in essence unpaid data gatherers. Even factoring in the cost of developing the kit the developer has the opportunity to enjoy an incredible return on investment. The study surmises that this is the main reason behind the spread of free phishing kits on underground sites.
Extending the lifespan of phishing attack sites
In an effort to extend the lifespan of the sites, developers have taken to installing mechanisms that block unwanted visitor from the sites. This gives the appearance that the site is not functioning – diverting attention from it while it continues to be accessible to those who are being targeted by the phishing attacks. Once again, risk to those operating the sites is reduced and the ROI of the owners is increased. There are several common methods of preventing access, including:
- .htaccess files — contain a list of blocked IP addresses related to search engines and security companies bots
- .txt files —used to prevent bots from accessing specific remote directories
- PHP scripts — dynamically check if the remote IP address is allowed to access the phishing pages
In addition, those who run the phishing attack websites also use the strategy of randomly redirecting the visitor to a new site which mirrors the existing sites’ content – this to a certain extent avoids blacklisting. The study showed that 13% of phishing sites used this strategy of randomizing the URL by employing the following steps:
- Create a random phishing kit subdirectory on the site
- Copy the content of the entire kit inside it
- Redirect the visitor to the newly generated random location
A summary of the phishing attack ecosystem
Phishing campaign operators are trying to find ways to extend the life expectancy of their pages and servers and increase their ROI.
The business model that resembles traditional industrialized processes has emerged – this is driving the production of increasing numbers of ‘free’ phishing kits – and dramatically increasing the number of phishing attacks.
As various features have been introduced to make phishing sites more efficient and to extend the life expectancy of their pages, phishing kits have become actively promoted and distributed at no charge on ‘dark’ sites. However, free phishing kits often hide implicit recipients who receive the phished information at the same time as those who have set up the phishing site. Attackers therefore decrease their effort and risk, and increase their return on investment by leveraging the work of inexperienced criminals who deploy their kits.
At least 25% of phishing kits contained hidden recipients that transmitted the stolen information to third parties (likely the original kits’ authors).
It also seems that the growth in phishing attacks is the work of a relatively small group of developers. About half of the kits were created by this small group of experienced phishers, while almost a third of the kits belonged to 3 large clusters. This shows that phishing kits come from a restricted number of sources.
The future of phishing attacks
As the ‘science’ and industrial production of ‘free’ phishing kits grows in complexity, it is inevitable that individuals and organizations will continue to come under attack. This includes malicious attempts to obtain passwords and similar information – as well as the use of ransomware to extort monies from these organizations.
So what can organizations do? According to Luda Lazar, security research engineer at Imperva:
“Since many of the phishing sites redirect victims to the legitimate target site, a web application firewall (WAF) on the legitimate target site can detect phishing attempts through these references. Effective protection requires staying current with the dynamics of phishing campaigns which could include use of communal threat intelligence services that track phishing campaigns and then update security controls accordingly.
“Moreover, in the tight race between cyber criminals and cyber security systems, security officers should always assume they will lose some of the battles. Thus, a comprehensive security solution should not restrict itself to prevention. It should also include post-infection mechanisms, in this case, breach detection tools to detect compromised machines or accounts through the hackers’ attempt to abuse enterprise data and automatically quarantine the compromised asset, thereby preventing further access.”
Importantly, it is up to the security professionals who are the gatekeepers of information technology in the organization to educate those who might be subject to phishing attacks. This is especially true when it comes to education initiatives aimed at C-Suite executives who may have access to tremendously sensitive information.
