Spamming Tools are a Commodity in the Criminal Underworld

Digital image of womans eye. Security conceptCheap and easy-to-use phishing kits and other social engineering tools are readily available for purchase on the black market, according to researchers at Digital Shadows. Criminals create clones of legitimate websites and package them for sale, allowing other criminals to quickly set up convincing phishing sites on their own domains. These phishing templates usually cost between $2.00 and $68.00. Experienced cyber criminals also create phishing tutorials and offer them for sale, so even skids with minimal technical skills can learn how to start scamming people.

“The barriers of entry to phishing attacks can be significantly lowered by the existence of pre-made templates, infrastructure, and tutorials for sale on cybercriminal forums and marketplaces,” the researchers write. “Phishing tutorials may be purchased on cybercriminal forums and marketplaces at an average cost of $24.83, and the tools needed to conduct an attack can cost under $20. The average cost of a prebuilt page or template is $23.27.”

These phishing tools also vary depending on the type of campaign they’re designed for. The researchers explain that attackers adapt their strategies based on which type of target they’re going after.

“The first stage will almost always involve choosing a target,” they write. “Are you going after minnows or that elusive 1,000-lb marlin? Knowing this beforehand is important, as different targets require different tactics and tools. For example, a large-scale, more indiscriminate phishing attack (minnows) can be more conducive to the use of impersonal and generic emails cast with a broad net (e.g. a spam botnet). Targeting a high-ranking executive (marlin), on the other hand, might require a more nuanced and personalized approach (e.g. spearphishing).”

Likewise, different attacks necessitate different defenses. Executives and employees who have the authority to transfer money are more likely to be targeted with sophisticated spear phishing attacks, while other employees are often targets of opportunity. In every case, however, the employees themselves are the key to stopping these attacks.

“Phishing pages and malware can both be detected and blocked, but direct social engineering is much harder to spot,” the researchers say. “Detection of the first two rely on technical indicators that point to a specific threat, which can be mitigated automatically by, for example, spam blockers or malware scanners. Social engineering relies on exploits against the human operating the device.”

Social engineering attacks are designed to bypass technical defenses, so organizations need to address human vulnerabilities. New-school security awareness training can teach your employees which types of threats they’re likely to face and how to thwart them.

Digital Shadows has the story:

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews