How Cybercriminals Create, Distribute, Steal Data and Monetize Phishing Emails and Pages
New research finds it has never been easier for aspiring cybercriminals to impersonate companies and lure victims to fake websites. And potential profits are huge with some ‘salaries’ being promised of between $5 and $10k a week.
The Digital Shadows' Photon Research Team analysis entitled From Minnows to Marlins, the Ecosystem of Phishing analyzed many of the popular marketplaces and forums frequented by cybercriminals. It found that phishing page templates and clones impersonating some of the biggest brands in the world, are being priced and sold from just $1.88. These templates aim to masquerade as legitimate companies and trick recipients into handing over sensitive information, like credentials, password resets or notifications of suspicious activity, says the report.
The analysis details from start to finish how criminals create, distribute, steal data, and monetize phishing emails and pages. Many criminals begin by using phishing email templates, often indistinguishable from the real thing which use the same exact assets (e.g. images, fonts, and wording). Criminals can then combine these with ‘clone’ websites, the cost of which start under $2.00. After purchasing a cheap domain and email contact lists (with 10m email contacts being advertised for just $12.99) spammers can launch a campaign for under $20 with little technical knowledge required, notes the study.
Criminals can also automate some of their processes via phishing-as-a-service (PHaaS) options that allow an attacker to rent the infrastructure needed to conduct phishing attacks. Procuring and setting up backend infrastructure can be time consuming, expensive, and difficult without certain expertise. The prices of these services can vary but one advertised at $150 a month promises all the tools a criminal could need including ‘access to your own admin panel and phishing files for upload on your host’.
The study also suggests that some spammers are acting just like professional marketers. They are using industry-leading marketing technologies to track email metrics including delivery, open and click-through rates, which can help attackers optimize their spam efforts by tracking the interactions of the victims. Atomic Email Tracker, for example is a legitimate software, of which cracked versions are frequently listed for sale for as little as two dollars on cybercriminal marketplaces or traded for free on forums, says the study.
Phishing key findings and statistics
- Barriers to entry | The barriers of entry to phishing attacks can be significantly lowered by the existence of pre-made templates, infrastructure, and tutorials for sale on cybercriminal forums and marketplaces. Phishing tutorials may be purchased on cybercriminal forums and marketplaces at an average cost of $24.83, and the tools needed to conduct an attack can cost under $20. The average cost of a prebuilt page or template is $23.27.
- Retail and e-commerce | Out of over 100 advertisements for pre-built phishing pages and templates on cybercriminal forums and marketplaces, 29% specifically targeted retail and e-commerce organizations. These were sold for an average of $20.43.
- Banking | Cloned or templated pages targeting banking organizations comprised 15% of advertisements, but were sold for an average of $67.91. This higher price point is likely due to the sheer financial opportunities that come with stealing credentials to an online banking service.
- $2-3 for Phishing Page Templates | The cheapest phishing page templates we found for purchase were for some of the biggest online brands including retailers and social media sites, averaging between $2 and $3.
- Phishing Users and Tactics | Phishing is one of, if not the most popular attack techniques. It is used by both low-level threat actors as well as nation-state threat groups, and comes in many different forms. Depending on the target chosen, an attacker must select the most appropriate tactics and procedures that have the highest chance of resulting in a successful phish.
- Phishing Process | This process contains four distinct stages: Creating the phishing email, choosing the distribution method, gathering the data, and cashing out.
Harrison Van Riper at Digital Shadows comments: “Most of us within the cybersecurity community believe that if the phishing issue could be stopped then we’d eliminate a significant proportion of all cybercrime. Unfortunately, there is no sign of this happening anytime soon. It has never been easier for a phisher to set themselves up in business. Many of the templates and fake clone sites we discovered are extremely convincing and impersonating hundreds of brands.”
The report advises that organizations take the following precautions:
- Limit the information your organization and employees share online, including on social media sites. The most successful phishers perform detailed reconnaissance so they can craft the most effective emails and social engineering lures.
- Monitor for registrations of typo-squatted domains that attackers can be used to impersonate your brand, send spoofed emails, and host phishing pages.
- Implement additional security measures, such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM). These can make the spoofing of your domain more difficult. Check out our detailed practitioner’s guide to combating email spoofing risks.
- Protect your accounts in case phishers do manage to steal user credentials. Two-factor authentication measures should be mandated across the organization and implemented whenever possible.
- Train your employees how to spot phishing emails and, more importantly, give them a clear and recognized reporting method to alert security teams of suspected phishing attempts. Eventually, a phishing email will fall through the net. Employees need to know how to react to these quickly and should not fear any repercussions of being the victim of a social engineering attack.