A look inside the phishing business

Times are good for online criminals. Phishing has been a problem for years, but thanks to the booming online criminal economy, it has never been easier or cheaper for black hats to harvest account details for financial and other web sites. A report from Israeli security firm ClearSky Cybersecurity shows that you can get a fake website to fuel your phishing campaign for the price of a decent bottle of wine.

Cybercrime has mirrored many other economies, developing into a vibrant, customer-focused marketplace. Online service providers are happy to meet your nefarious needs. ClearSky trawled dozens of popular Russian and English-speaking underground forums online to find them. Its operatives contacted them, and chatted via instant messaging to find out what they had to offer.

Phishing sites are cheap

The company’s report shows that would-be phishers can get themselves a fake banking page on the cheap. As little as $20 will yield a duplicate page. As with most things, though, you get what you pay for. There are two ways to produce a fake page: by duplicating it, or by developing it from scratch. The latter can cost up to $200.

The difference between the two may be important for phishers who want to sustain their attacks, and one of the vendors that the researchers contacted explained why: the anti-phishing technology in Chrome or Safari will quickly expose duplicate sites, they said.

Browser vendors identify phishing sites by comparing them against a known list of malicious domains and by using reputation analysis, according to Sergey Shykevich, the head of research at ClearSky who wrote the report. He suggests that their analysis may also include checking any URLs in the code of the duplicated pages. A URL for the original legitimate site buried in a fake site’s code could easily give the game away.

Developers also claim to add filters that further protect their fake pages from scanners and bots. Those touting fake site development services suggest that they can enable online criminals to dodge site scanners for longer.

Value-added victimization

Sometimes criminals want more than just a fake banking login page; they want to dupe the victim into entering their credit card details. The price for a separate secondary page handling that task trends higher because of the back-end logic necessary. An online ne’er-do-well can expect to pay anywhere from $100 to $250 for a page that collects card and CVV numbers, but there are some good deals on offer for as little as $50.

Other value-added services available online include control panels that allow criminal users to collect the necessary data, including the login credentials and the machine used to access the fake page. They can use the dashboard to analyze the data it at their leisure.

This all shows that the cost of entry for phishing is appallingly low, which explains why so much of it goes on. It still tops the list of threats to organizations, according to the latest SANS 2017 Threat Landscape Survey. Just over 70% of the 263 US IT pros in the survey had seen phishing, spearphishing or whaling in their organization, and around a third of the respondents identified it as having significant impact (more than ransomware, which came in second with 20%).

We’ve seen some nasty phishing scams lately. Scammers have targeted Raiffeisen Bank customers with a fake page that gathers their details and then persuades them to download mobile malware in the guise of a banking app. Phishing has also spread to less conventional areas of finance: cryptocurrency.

Where phishing went next

This report (along with this thread) suggests how phishing attacks can become more powerful as back-end systems become more frictionless. One of cryptocurrency’s main attractions is the ability to move it around seamlessly and immutably in seconds, and that can work in a phisher’s favour. Data from cryptocurrency analytics and fraud prevention firm Chainalysis says that nearly 17,000 people collectively lost $115m in cryptocurrency thanks to phishing on the Ethereum platform during the last year. That represents almost half of all Ether-based cybercrime losses.

Phishing attacks tend to motivated by two broad things, according to the Verizon 2017 Data Breach Investigation Report (DBIR). Around a quarter of them were driven by espionage, or by state-affiliated or nation-state actors, according to the report, while the remainder came from financially-motivated organized criminal groups.

Neither phishing or ransomware are going away. Turnkey fake sites have already evolved into another, even more customer-friendly offering: phishing as a service. These providers will manage the entire operation for you, from web site creation to email propagation and hosting. The onslaught of annoying and potentially damaging mails looks set to continue for a while yet.


Bookmark and Share