Photon Research Team Uncovers Spammers Setting up Phishing Businesses for under $20 – with no technical knowledge or experience
February 2020 by Digital Shadows
Digital Shadows reveals new research assessing the ecosystem behind phishing – an attack vector responsible for the majority of cyber-attacks. In research produced by the firm’s Photon Research Team, Digital Shadows finds it has never been easier for aspiring cybercriminals to impersonate companies and lure victims to fake websites. And potential profits are huge with some ‘salaries’ being promised of between $5 and $10k a week.
The Photon Research Team analysis entitled From Minnows to Marlins, the Ecosystem of Phishing used Digital Shadows SearchLight to analyze many of the popular marketplaces and forums frequented by cybercriminals. It found that phishing page templates and clones impersonating some of the biggest brands in the world, are being priced and sold from just $1.88. These templates aim to masquerade as legitimate companies and trick recipients into handing over sensitive information, like credentials, password resets or notifications of suspicious activity.
The analysis details from start to finish how criminals create, distribute, steal data, and monetize phishing emails and pages. Many criminals begin by using phishing email templates, often indistinguishable from the real thing which use the same exact assets (e.g. images, fonts, and wording). Criminals can then combine these with ‘clone’ websites, the cost of which start under $2.00. After purchasing a cheap domain and email contact lists (with 10m email contacts being advertised for just $12.99) spammers can launch a campaign for under $20 with little technical knowledge required.
Criminals can also automate some of their processes via phishing-as-a-service (PHaaS) options that allow an attacker to rent the infrastructure needed to conduct phishing attacks. Procuring and setting up backend infrastructure can be time consuming, expensive, and difficult without certain expertise. The prices of these services can vary but one advertised at $150 a month promises all the tools a criminal could need including ‘access to your own admin panel and phishing files for upload on your host’.
Potential rewards could be high. One cybercriminal advises they are ‘looking for a spamming partner’ with promised earnings between $5 to 10k per week. It asks that the applicant has a ‘high inbox rate’ and ‘prefers a spammer that uses botnet to spam’.
The study also suggests that some spammers are acting just like professional marketers. They are using industry-leading marketing technologies to track email metrics including delivery, open and click-through rates. These can help attackers optimize their spam efforts by tracking the interactions of the victims. Atomic Email Tracker, for example is a legitimate software, of which cracked versions are frequently listed for sale for as little as two dollars on cybercriminal marketplaces or traded for free on forums.
Harrison Van Riper at Digital Shadows comments: “Most of us within the cyber security community believe that if the phishing issue could be stopped then we’d eliminate a significant proportion of all cybercrime. Unfortunately, there is no sign of this happening anytime soon. It has never been easier for a phisher to set themselves up in business. Many of the templates and fake clone sites we discovered are extremely convincing and impersonating hundreds of brands.”
Digital Shadows advises that organizations take the following precautions:
1. Limit the information your organization and employees share online, including on social media sites. The most successful phishers perform detailed reconnaissance so they can craft the most effective emails and social engineering lures.
2. Monitor for registrations of typo-squatted domains that attackers can be used to impersonate your brand, send spoofed emails, and host phishing pages.
3. Implement additional security measures, such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM). These can make the spoofing of your domain more difficult. Check out our detailed practitioner’s guide to combating email spoofing risks.
4. Protect your accounts in case phishers do manage to steal user credentials. Two-factor authentication measures should be mandated across the organization and implemented whenever possible.
5. Train your employees how to spot phishing emails and, more importantly, give them a clear and recognized reporting method to alert security teams of suspected phishing attempts. Eventually, a phishing email will fall through the net. Employees need to know how to react to these quickly and should not fear any repercussions of being the victim of a social engineering attack.