Spammers have always been seen as the pond scum of the cyber crime world. No technical skill and little investment is required, and the attacks are easily thwarted by automated tools; even if a spam email does slip through, it is unlikely to do any damage so long as the recipient has any skepticism about the Prince of Uganda contacting strangers out of the blue for exciting financial opportunities. A new study of the phishing ecosystem by Photon Research Team indicates that spammers are stepping up their game, however.
It’s not that they’re getting smarter or more competent; it’s that the cost and technical barriers of entry to running phishing email campaigns are now so low as to be trivial to even an amateur with a shoestring budget.
How spammers got their groove back
As phishing becomes both simpler to do and more sophisticated in its presentation, experienced spammers find themselves ideally positioned in the phishing ecosystem with their existing email experience and infrastructure.
All they need are premade tools, which are easy to find from merchants on the dark web. The Photon study found that phishing templates, infrastructure and tutorials widely available from underground forums were priced such that gathering the tools for such an attack would cost about $20 and setting up a pre-made attack page could be done for an additional $24. Raw rookies could add a step-by-step tutorial to the shopping cart for about another $23. If one simply wants a phishing page template and can handle the email campaign and web hosting on their own, these can be had for just $2 to $3 per page.
The most affordable phishing pages and tools are those designed to simulate retail sites; it’s thus no surprise that this sector is so heavily targeted. Tools for cloning the appearance of a legitimate bank are the second most frequent to come by, but these are a premium product; about $68 on average to set up a clone of a legitimate bank website, and clones of the biggest banks can go for hundreds of dollars.
The Photon study points out that most criminals in the phishing ecosystem, whether they be newly converted spammers or experienced pros, are now buying premade page clones since they are so affordable and convincing. Fake bank pages designed to steal user logins go for about three times the price of any other types of pages on average as phishers are virtually guaranteed to make some money with them if anyone bites on their email links, exploiting direct access to bank accounts to simply transfer some money out.
The study incorporated a little over 100 ads for phishing services posted on about half a dozen well-known underground forums over the past 2.5 years. Though bank tools and templates go for the most money, the greatest amount of interest in the phishing ecosystem appears to be in cloning ecommerce sites. Many ads also package together a variety of email templates and tools for multiple business types.
Players in the phishing ecosystem
The report indicates that while spammers are having no trouble converting to phishing attempts, those that do not have technical hacking skills are generally limited to going after small targets by employing their spam botnets to work in bulk. They tend to cast a broad net of generic emails. Spearphishers who carefully gather information on a particular target and send them highly tailored personal emails are still more rare in the phishing ecosystem, and tend to be more technically proficient hackers.
Some of the trends among novice phishers are clones of social media and email login pages. Templates and tutorials for these are widely available. Novice phishers still tend to mess up small details, but the report makes the point that somewhat sloppy phishing attacks might actually be helping the spammers to more quickly identify their target audience. If a target sees these mistakes and clicks on the links or shares sensitive information anyway, they are no doubt among the most gullible or naive out there. Some level of sloppiness may also be helping these emails slip past automatic spam filters that rely on pattern recognition.
Another focus that these novice phishers have is on expanding their existing botnets. Instead of trying to clone a legitimate business, they may simply try to pass malware that compromises the target and ropes it in. This is much simpler than attempting to clone an existing site. The spammers can then make a profit by renting their expansive botnet out to other criminals in the phishing ecosystem.
Dealing with the new phishing threat
The report contains all sorts of other fascinating information about the phishing ecosystem, but it concludes with some practical advice on dealing with this new world of easily accessible phishing scams.
The security researchers suggest a company policy of limiting information shared via social media, which helps to deter spearphishers. Organizations should also proactively scan for the registration of lookalike domain names, implement two-factor authentication across the network and train all employees in how to recognize and report phishing emails.
