Commodity phishing kits are making it easier for unskilled criminals to run sophisticated phishing campaigns for a low price, according to a report from cloud security provider Cyren.
Researchers at Cyren have come across more than 5,000 different kits since the beginning of 2019, with most selling for between $50 and $80 per month. The researchers warn that as these refined tools become readily available, the quality of the average phishing campaign can be expected to increase dramatically.
“A straight line can be drawn between the availability of such kits and turn-key phishing platform services and the growth in evasive phishing—phishing attacks that use tactics to confound detection by email security systems,” the researchers state.
“Today’s reality is that we are seeing more evasive phishing campaigns in the hands of more attackers at less effort and lower cost than in the past, as technically sophisticated phishing attack developers have adopted a SaaS business model to let even the most amateur criminal wanna-be spoof targeted web sites with a high degree of authenticity and embedded evasive tactics.”
87% of these phishing kits displayed at least one type of evasive capability to help them bypass security mechanisms. The two most common evasion techniques were HTML character encoding and content encryption, both of which involve obfuscating the actual code while the phishing page is displayed clearly.
Another more recent development is the growing use of cloud services to host phishing sites, so that the user sees a URL belonging to a trusted organization in the address bar. The researchers predict that phishing kits will soon incorporate multiple evasive tactics as a standard feature.
“One expectation for the future is that phishing developers will begin to combine many techniques together, as we’ve seen with malware,” they write. “I recall a single piece of malware that did 26 different checks to try and avoid detection—we expect phishing to continue to evolve in this direction, with layers of detection evasion techniques being used.”
The proliferation of high-quality, low-cost phishing kits is a sign that any attacker can compete with the latest security technologies. In order to tackle this threat, organizations need to focus on the people who are targeted. New-school security awareness training can give your employees experiential knowledge of phishing attacks so that they can thwart the threats that make it past your technical defenses.
Cyren has the story: https://www.cyren.com/blog/articles/evasive-phishing-driven-by-phishing-as-a-service
Brand-New Tool: Social Media Phishing Test Checks for Users Vulnerable to Social Media Related Attacks
Phishing is still the #1 threat action used in social engineering attacks, and spear phishing, in particular, takes advantage of your users’ socially networked lives.
Many of your users are active on social media sites like Facebook, LinkedIn, and Twitter. Attackers use social media to target both your brand, your users, and even your customers by distributing malware or using social engineering to phish for credentials. These platforms have become a goldmine for the bad guys to carry out social media phishing attacks against your organization!
Don’t get hacked by a social media phishing attack!
KnowBe4’s new Social Media Phishing Test (SPT) is a complimentary IT security tool that helps you identify which users in your organization are vulnerable to these types of phishing attacks that could put your users and organization at risk.
SPT will give you quick insights into how many users will fall victim so you can take action to train your users and better protect your organization from these social media phishing attacks!
Here’s How the Social Media Phishing Test works:
- Immediately start your test with your choice of three social media phishing templates
- Choose the corresponding landing page your users see after they click
- Show users which red flags they missed or send them to a fake login page
- Get a PDF emailed to you in 24 hours with your percentage of clicks and data entered
Find out how many of your users are vulnerable to social media related phishing attacks now!Don't like to click on redirected buttons? Copy & paste this link into your browser: