Researchers at IBM describe how criminals use phishing kits to launch widespread phishing campaigns with minimal effort. Phishing kits are software products that automate the process of setting up spoofed websites and handling email campaigns.
“The majority of phishing sites we see in our day-to-day analysis originate from phishing kits that are available for purchase on the dark web and are being reused by many different actors,” the researchers write. “Typical kits are professionally written and can contain thousands of lines of code. They can be configurable based on the campaign and even have proper error reporting. These kits range in price from a few hundred to a few thousand dollars and can be deployed in a matter of minutes. Conversely, malware attacks change all the time, shifting tactics around for all aspects, especially the underlying code.”
The criminals usually buy cheap domains to host their phishing sites, though they can spend more money to gain access to more resilient infrastructure.
“In most of the attacks we observe, phishers register cheap domains for malicious use, host attacks on a compromised domain or a combination of both,” the researchers write. “Some domain registrations are easy to fund, and this does not require exploiting or compromising an existing site. The downside is that it’s easier to detect and block a standalone malicious site versus an attack hosted on an established legitimate one. Dark web vendors who play in the phishing game sell access to compromised servers, but this option does raise the overall cost of the attack.”
Attackers can also buy lists of target email addresses that have been collected from data breaches and other sources.
“Once the phishing attack is ready, it has to get in front of potential victims,” the researchers write. “To send it out to the right audience, phishers can either contract an underground service that specializes in spamming, or they can go ahead and buy their own target lists. Target lists can be specific to a region or a language and can help attackers get into inboxes of webmail providers and company emails alike. Depending on the viability of the data and its contents, email lists can go for $50 to $500. The price is offset by the reuse of the same list for other attacks or reselling it to other criminals.”
New-school security awareness training with simulated phishing emails can enable your employees to thwart these attacks.
SecurityIntelligence has the story.