Cheap and easy-to-use phishing kits and other social engineering tools are readily available for purchase on the black market, according to researchers at Digital Shadows. Criminals create clones of legitimate websites and package them for sale, allowing other criminals to quickly set up convincing phishing sites on their own domains. These phishing templates usually cost between $2.00 and $68.00. Experienced cyber criminals also create phishing tutorials and offer them for sale, so even skids with minimal technical skills can learn how to start scamming people.
“The barriers of entry to phishing attacks can be significantly lowered by the existence of pre-made templates, infrastructure, and tutorials for sale on cybercriminal forums and marketplaces,” the researchers write. “Phishing tutorials may be purchased on cybercriminal forums and marketplaces at an average cost of $24.83, and the tools needed to conduct an attack can cost under $20. The average cost of a prebuilt page or template is $23.27.”
These phishing tools also vary depending on the type of campaign they’re designed for. The researchers explain that attackers adapt their strategies based on which type of target they’re going after.
“The first stage will almost always involve choosing a target,” they write. “Are you going after minnows or that elusive 1,000-lb marlin? Knowing this beforehand is important, as different targets require different tactics and tools. For example, a large-scale, more indiscriminate phishing attack (minnows) can be more conducive to the use of impersonal and generic emails cast with a broad net (e.g. a spam botnet). Targeting a high-ranking executive (marlin), on the other hand, might require a more nuanced and personalized approach (e.g. spearphishing).”
Likewise, different attacks necessitate different defenses. Executives and employees who have the authority to transfer money are more likely to be targeted with sophisticated spear phishing attacks, while other employees are often targets of opportunity. In every case, however, the employees themselves are the key to stopping these attacks.
“Phishing pages and malware can both be detected and blocked, but direct social engineering is much harder to spot,” the researchers say. “Detection of the first two rely on technical indicators that point to a specific threat, which can be mitigated automatically by, for example, spam blockers or malware scanners. Social engineering relies on exploits against the human operating the device.”
Social engineering attacks are designed to bypass technical defenses, so organizations need to address human vulnerabilities. New-school security awareness training can teach your employees which types of threats they’re likely to face and how to thwart them.
Digital Shadows has the story: https://www.digitalshadows.com/blog-and-research/the-ecosystem-of-phishing/