The Ecosystem of Phishing: From Minnows to Marlins

The Ecosystem of Phishing: From Minnows to Marlins
Photon Research Team
More From Photon Research Team

31 Min Read

 

YOU JUST WON $1,000. CLICK HERE TO CLAIM YOUR REWARD!

 IMMEDIATE! NEED WIRE DETAILS.

Check out this cat doing cat things. Link inside.

One of these email subject lines is a phish, but can you spot it at first glance? Do you know how it was made? Where did it actually come from? If I click it, am I pwned?  

Phishing emails are the most exploited “vulnerabilities” in the modern age of cyber criminality. Phishes have evolved over time, taking on new forms and adding advanced functionality at every stage of their development and delivery scheme. Simple social engineering emails with misspellings and grammatical errors have evolved into nearly undetectable impersonations of the brands that people see coming through their email inboxes every day.

 

The Origins of Phishing <><

One of the most interesting things about phishing is how it got its name. To the surprise of absolutely no one, the nascent days of Internet culture featured cybercrime activity. In the burgeoning America Online (AOL) chat rooms, users would trade stolen accounts and counterfeit software. AOL tried creating detection systems to combat this threat, but they were running into one obstacle in particular.

Users replaced revealing cybercrime terminology with the “<><” symbol as it was the most commonly used HTML tag within AOL messaging systems. Note the similarity? Looks like a fish, right? Right? Phreaking, or phone hacking, was also extremely popular during this time. Combine the two together, and you get “phishing.”  

Did you click that link and read the article? It’s fascinating. We’ll wait. Go ahead.

 

Despite how interesting that factoid may be, we actually have no idea whether it’s true, as the only mention of that symbol in correlation with phishing is from Wikipedia―an unsourced Wikipedia entry, at that. But you were tempted to click the link, weren’t you? Did you?

 

Phishing key findings and statistics

TLDR – We’ve got an in-depth research piece here for you, but in case you prefer an overview, here’s our quick findings and stats:

  • Barriers to entry | The barriers of entry to phishing attacks can be significantly lowered by the existence of pre-made templates, infrastructure, and tutorials for sale on cybercriminal forums and marketplaces. Phishing tutorials may be purchased on cybercriminal forums and marketplaces at an average cost of $24.83, and the tools needed to conduct an attack can cost under $20. The average cost of a prebuilt page or template is $23.27.
  • Retail and e-commerce | Out of over 100 advertisements for pre-built phishing pages and templates on cybercriminal forums and marketplaces, 29% specifically targeted retail and e-commerce organizations. These were sold for an average of $20.43.
  • Banking | Cloned or templated pages targeting banking organizations comprised 15% of advertisements, but were sold for an average of $67.91. This higher price point is likely due to the sheer financial opportunities that come with stealing credentials to an online banking service. 
  • $2-3 for Phishing Page Templates | The cheapest phishing page templates we found for purchase were for some of the biggest online brands including retailers and social media sites, averaging between $2 and $3.
  • Phishing Users and Tactics | Phishing is one of, if not the most popular attack techniques. It is used by both low-level threat actors as well as nation-state threat groups, and comes in many different forms. Depending on the target chosen, an attacker must select the most appropriate tactics and procedures that have the highest chance of resulting in a successful phish.
  • Phishing Process | This process contains four distinct stages: Creating the phishing email, choosing the distribution method, gathering the data, and cashing out.

 

Crafting a phishing attack: Buying your equipment

HOOK, LINE, AND SINKER

Now that I’ve hooked you 😉 into reading the rest of this Photon Research Team report, let’s look at phishing as a whole:

  • How phishing emails are created
  • How they’re distributed
  • Attackers’ tactics, techniques, and procedures (TTPs)
  • What success might look like to an attacker

Let’s start off with some data.

Whether an attacker is at the early stages of their phish, or they quickly need to get a phishing page up and running, look no further than the bustling economy that exists on criminal marketplaces. Why make something from scratch when you can buy something that’s likely better and more successful?  

Photon gathered over 100 ads over the last two and a half years from criminal marketplaces like the now defunct AlphaBay and Hansa markets, as well as newer additions like Apollon, Dream Market, and Wall Street. We found that phisherman will pay big bucks for cloned or templated phishing pages for companies within the banking sector, in particular. As you can see in Figure 1 below, cloned pages for banking companies were going for, on average, $67.91. Ecommerce was a distant second at around $20 per page, and social media sites, technology, and email service providers trailed even further below that.

 average cost of phishing templates

Figure 1: Breakdown of average costs of different phishing templates

 

Even though banking templates/clones were pricey, we detected more ecommerce ads than anything else, accounting for 29% of the advertisements we observed. Banks, email services, social media, and technology followed behind, in that order, as you can see in Figure 2 below. A note on multi-packs: these ads contained several targeted verticals that we discussed, so instead of breaking them out individually, we have classified them into the “multi-pack” category. LeeLoo Dallas would be proud.

 distribution of phishing ads

Figure 2: Breakdown of frequency of different types of templates

 

Banking was likely the most lucrative because of the obvious answer: you phish a banking login and you’re pretty much guaranteed some money. Ecommerce also makes sense, as people tend to store their payment credentials within their accounts for quick purchases. One interesting outlier we found when drilling into our data, was that investment firms were far and away the most expensive phishing pages to purchase. One ad selling a page for a well-known investment firm went for $550, and the average across five separate ads for another company was just over $338.

This is so expensive though! Attackers can be just as restricted by budgets like the rest of us, and they’re in luck when it comes to purchasing phishing pages. The cheapest phishing page templates we found for purchase were for some of the biggest online brands including retailers and social media sites, averaging between $2 and $3.

Considering the cheap access to high quality phishing pages, nondescript phishing domains available for pennies, and step-by-step walkthroughs, it’s no wonder phishing is so prevalent today.

 

Choosing your target and buying (or creating) the bait

So, what do you need to go phishing?  

Well, if you ask the U.S. Fish & Wildlife Service, you’ll need: A rod and reel, 4- to 12-pound-test monofilament fishing line, a package of fishing weights, fish hooks (number 6-10 size), a plastic or cork bobber, a selection of live bait or fishing lures, and, in some cases, a fishing license (depending on your age, of course).

If you ask on a cybercriminal forum, you’re likely to get a slightly different response. The first stage will almost always involve choosing a target. Are you going after minnows or that elusive 1,000-lb marlin? Knowing this beforehand is important, as different targets require different tactics and tools. For example, a large-scale, more indiscriminate phishing attack (minnows) can be more conducive to the use of impersonal and generic emails cast with a broad net (e.g. a spam botnet). Targeting a high-ranking executive (marlin), on the other hand, might require a more nuanced and personalized approach (e.g. spearphishing). 

Thankfully, there are multiple options available to suit the needs of every phisher, novice or professional. Here are some of the more common phish crafting methods.

 

 1.Email templates

Popular services (think email and social media platforms) are frequently spoofed in phishing attacks. Millions of people around the world rely on these every day, giving fraudsters a large attack surface. Phishing email templates and social engineering “how-to” guides are commonly sold on criminal forums and marketplaces. These templates can also be combined with phishing kits, allowing attackers to create spoofed login pages that are then linked directly in the phishing email (more on that later on).

As long as you have the money to buy a template, you don’t need to be a sophisticated threat actor to carry out a successful phishing attack. You don’t even need an in-depth understanding of your target. Figure 3 is a screenshot from February 2020 on XSS, a Russian-language forum, showing offers for dedicated phishing tools, including templates and scam pages for many popular services.

Advertisement of phishing tools with templates for well-known sites

Figure 3: Advertisement of phishing tools with templates for well-known sites

 

Typically, these templates aim to masquerade as legitimate company emails and trick recipients into handing over sensitive information, like credentials; password resets or notifications of suspicious activity are among the most common. The most convincing of these templates aim to be indistinguishable from the real thing, often using the same exact assets (e.g. images, fonts, and wording).

 

Getting sloppy or getting smarter?

You’d think that perfectly executed phishing templates are the way to go. Who would fall victim to an email that’s riddled with graphical and grammatical errors? I’m sure you’ve seen these firsthand: Phishing emails that look catastrophically (and comically) bad, incorrect company logos, missing assets, and formatting that’s all over the place. But attackers are smarter than we sometimes give them credit for. In some cases, the correct play might actually be to distribute deliberately sloppy emails.

Although this might seem counterintuitive, there’s an argument that poorly formatted phishing lures can help weed out the victims that would be less likely to readily hand over their personal information from the get-go.  

Here’s an example:

Poorly formatted Google phishing email

Figure 4: Poorly formatted Google phishing email

 

It’s not hard to point out the errors in this email: Missing capital letters, bad formatting, sketchy sender and recipient addresses, and a strange Google logo. We (and hopefully you) wouldn’t think twice about ignoring and deleting this email, but we’re also not the target audience.

If a victim fails to see the errors that seem obvious to others, they might also be unaware of the risks of clicking unknown links that send them to fake login pages. As eloquently put by Microsoft: 

“By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.”

There’s also a technical element that attackers have to be aware of. Algorithms like tf-idf, or term frequency–inverse document frequency, parse out the text of a document and assign weight based on the frequency of those specific words as they appear in a collection of other, similar documents. This is used by search engines to rank and score documents based on search queries, but is also used by email spam filters to help identify malicious emails and stop them from ever reaching a user’s main inbox.

By changing up the formatting of a phishing email, such as splitting up words, attackers can try to confuse the logic of spam filter algorithms. This can also explain why some phishing emails throw in Unicode characters to represent letters of the alphabet.

Can you spot the difference between “a” and the Cyrillic character “а”?

Unicode representations have different character codes than regular ASCII, and can help make the difference in determining whether a phishing email is marked as suspicious.

Text randomization service offered for sale on XSS

Figure 5: Text randomization service offered for sale on XSS

 

These tactics are well known in the cybercriminal community. In a post on the XSS Russian-language cybercriminal forum from August 2019, for example, a user asked for advice on how to send phishing emails to a database of 20,000 users that could successfully reach the inboxes of Gmail, Yahoo!, iCloud, and Outlook users. They received a response from another forum user with specific guidance, saying:

  1. 20,000 emails is a small number for mass mailing
  2. Sending the message with no links helps it to bypass spam filters – a link in an email is the first suspicious feature a spam filter looks for
  3. Randomizing the text (indents and spaces) will increase the email’s chances of reaching the inbox
  4. Sending from a corporate server is more successful

XSS user suggesting text randomization to bypass spam filters

Figure 6: XSS user suggesting text randomization to bypass spam filters

 

2. Phishing-as-a-Service

Another alternative to templates are phishing-as-a-service (PHaaS) options that can allow an attacker to rent the infrastructure needed to conduct phishing attacks. Procuring and setting up backend infrastructure can be time consuming, expensive, and difficult without certain expertise. By outsourcing much of the hard work, phishing capabilities are opened up to those who would not otherwise have them; renting resources for a limited time can be a very economical option.   

PHaaS services are often monetized in familiar ways, offering various monthly subscription tiers, each with different levels of features. Business models with as-a-service offerings on the cybercriminal underground are increasingly mirroring those in real life, and can make all the difference in determining whether a service sinks or swims. Digital Shadows discussed this phenomena in depth in our blog “How the Cybercriminal Underground Mirrors the Real World”.

 Phishing infrastructure rental offered on Exploit 1

Phishing infrastructure rental offered on Exploit2

 Figure 7: Phishing infrastructure rental offered on Exploit

 

3. Phishing kits

Figuring out the layout of login pages for common online services isn’t difficult. Attackers can either clone these websites or buy pre-made templates, and phishing kits can expedite this process even further.

A phishing kit is an all-in-one tool set that has everything an attacker needs to launch a phishing attack. Think of it as a starter kit that includes a rod, reel, fishing line, hooks, and bait. They can contain ready-built websites with spoofed login pages: All an attacker has to do is choose which service they want to target.

Phishing kits can drastically lower the barrier to enter cybercrime. Users need little to no technical skills to pull off their own phishing attacks, as long as they have the money to shell out for a phishing kit. Some even take to cybercriminal forums to ask for “hackers for hire” to help build phishing pages.

Exploit post from user looking for coder to create phishing pages

 Figure 8: Exploit post from user looking for coder to create phishing pages

 Exploit post from user looking to buy a phishing kit

Figure 9: Exploit post from user looking to buy a phishing kit

 

Phishing kits can be obtained for relatively little money. These are commonly advertised, requested, and discussed on cybercriminal forums―a testament to their popularity.

Free phishing kits offered on Exploit1

Free phishing kits offered on Exploit2

Figure 10: Free phishing kits offered on Exploit[.]in

 

Distribution of phishing emails: Casting the line

After the preliminary stages of identifying targets and crafting emails, attackers need to decide by what means their phishing emails will be distributed. After all, you’re not going to use the same equipment to catch that marlin as you are some minnow. In most phishing cases, this is largely an automated process. No one wants to sit and hit “send” for tens of thousands of emails. But even when an attacker is only targeting a small number of victims, they still need to ensure that their emails will:

  1. Not end up in the recipient’s spam inbox
  2. Appear to be from a legitimate sender

Whether via public or private infrastructure, emails have to come from somewhere. There are advantages and disadvantages of each, and their use will largely depend on the nature of the phisher’s target.

 

1. Private infrastructure

Many business email compromise (BEC) attacks involve the use of private victim infrastructure. BEC relies on the attacker being able to successfully impersonate a high-ranking employee. If you receive an email from your boss, it’ll appear more suspicious if it was sent from an unknown third-party email provider rather than from your company’s internal address.

To do this, the attacker can spoof an internal email address, compromise the site’s mail server, or compromise the email account using previously obtained credentials (like through another phishing attack or a public breach database). The former two can require significant technical understanding, whereas the latter can rely on the target being successfully phished or their credentials being previously breached.  

To spoof an email address, an attacker will first have to compromise, create, or find a Simple Mail Transfer Protocol (SMTP) server that allows the spoofed emails to be sent. By changing values in the email’s envelope with a different sender address and then populating the required commands and headers, an attacker can create a spoofed email with relative ease.  

Although that process may sound somewhat complicated, it’s easier to pull off than some other attack techniques. Even though many email providers now have integrated features that let you verify the sender address, email spoofing is still widely used for social engineering campaigns.

Another option for attackers is to compromise a company’s infrastructure and use their SMTP server to distribute phishing emails. Those used to send marketing communications can be attractive targets; heavy outgoing message traffic seems less suspicious if it’s coming from a server typically used for marketing.

As noted in smtpspam’s advice on XSS back in Figure 6, sending emails from corporate mail servers is effective in getting emails to reach a victim’s inbox.  But compromising and modifying a site’s configuration can be time consuming and difficult to do without the necessary technical skills. Less-technically inclined attackers can turn to cybercriminal forums and marketplaces to buy already-compromised servers.

Much like how marketing software (e.g. Marketo, SalesForce) is used in the real world to track inbox and delivery rates, many spam services use similar solutions to monitor the results of their campaigns. These can help attackers optimize their spam efforts by tracking the interactions of the victims. Atomic Email Tracker, for example is a legitimate software, of which cracked versions are frequently listed for sale for as little as $2 USD on cybercriminal marketplaces, or traded for free on forums.

 Atomic Email Tracker interface

Figure 11: Atomic Email Tracker interface

 

2. Public infrastructure

In addition to compromising or piggybacking on an organization’s infrastructure, attackers can also exploit public infrastructure (e.g. email providers) to cast their phishing nets. This might be a simpler option for less-technical adversaries; in many cases, all you need to do is sign up for a free account―until, of course, the provider catches on to your malicious activity.  

The catch is that many major email providers (think Gmail and Outlook) make it difficult to create accounts with the express intent to conduct spam or phishing. Even blocks at the account creation level, like requiring multi-factor authentication (MFA) with a valid, non-burner phone number, can be enough to ward off many would-be attackers. But not all email providers are alike, and some make it much easier to create email accounts for phishing, particularly those hosted in countries with less-than-ideal cooperation with law enforcement.

One of the benefits of using legitimate email providers is that certain filters may be less likely to identify messages as spam. Having a phishing email delivered into the victim’s regular inbox, rather than their spam folder, can make all the difference. MailNinja is an example of an email spam service that uses public infrastructure from the provider mail[.]ru, and its operators claim it can let spam emails reach regular inboxes (as opposed to spam) with a 98% success rate.

MailNinja spam service advertisement on XSS

Figure 12: MailNinja spam service advertisement on XSS

 

3. Botnets

Ahhh, botnets…the scourge of the Internet. Consisting of a large number of infected devices (think tens, if not hundreds of thousands), they can be used to facilitate a wide range of malicious activity: distributed denial of service (DDoS) attacks, data theft, espionage, and yes, even spam and phishing.

Their strength lies in their numbers. An interconnected network of hundreds of thousands of devices can achieve more than any of them could hope to on their own. With the help of things like email spam databases, attackers can direct phishing emails to a wide surface of potential victims.  

Botnets also help attackers get around IP address blacklists. When suspicious servers get identified, they are put on public blacklists, curated by companies like Spamhaus. Someone distributing spam phishing emails via their own infrastructure runs the risk of their servers being blacklisted. But if botnet activity is identified, the server of the infected device is the one that gets blacklisted instead. And when you have traffic coming from tens of thousands of individual devices, a few being identified and blocked isn’t going to significantly affect your spam distribution.  bots star wars phishing joke

 

For a device to become part of a botnet, it typically has to be infected with malware. If you see where we’re going with this, phishing can even be used to distribute botnet malware, contributing to the cyclical nature of phishing, creating even more compromised devices.  

The circle continues.

In some cases, these botnets can be monetized directly, in the vein of other as-a-service platforms. Botnets for hire give cybercriminals an additional source of revenue, and can be one of the primary motives behind a phishing campaign. Depending on the size and type of botnet, operators can make hundreds of thousands of dollars per year in revenue by monetizing rental services on a “per use basis”.

Post from an Exploit user seeking a botnet partner

Figure 13: Post from an Exploit user seeking a botnet partner

 

4. Mailing lists

Speaking of spam lists, these have become common place on criminal markets and forums, being traded and sold for malicious use (like phishing attacks). For example, on the popular morally-questionable forum BlackHatWorld, users frequently discuss ways to carry out certain kinds of attacks or even ways to monetize on their illicit gains. For example, see Figures 14 and 15 below.Discussion on BlackHatWorld about monetizing email list 1

Discussion on BlackHatWorld about monetizing email list 2

Figure 14: Discussion on BlackHatWorld about monetizing email list

 Discussion on BlackHatWorld of monetizing high profile email list

Figure 15: Discussion on BlackHatWorld of monetizing high profile email list.

 

How helpful! At this point, the attacker can either run an operation themselves, find a partner in crime, or simply sell their mailing list and be done with it.

In Figure 16 below, pricing for these lists are more valuable depending on the profile of the potential victims. A broad spam list may be listed for cheaper than a highly targeted list.

Ad for 10 million valid email contacts at $12.99

Ad for list of 150,000 “Wealthy UK Men” at 19.99

Figure 16: Top: Ad for 10 million valid email contacts at $12.99
Bottom: Ad for list of 150,000 “Wealthy UK Men” at 19.99

How attackers harvest data from a phishing attack: Reeling in the catch

The bait has been chosen, the line has been set and the attacker has a target on the hook. Now, how to reel the prize in?

1.Phishing pages

As once said by the venerable Jedi master Qui-Gon Jinn: “There’s always a bigger fish”. Phishing attacks don’t end with an email being opened: For a phish to be successful, attackers have to coax information out of the victim. There are several ways to harvest data, and phishing pages are some of the most common.

always a bigger phish 

A popular technique is for attackers to set up an illegitimate website spoofing the company they are using as a phishing lure. For the most part, these don’t even have to be overly complicated: In many cases, a simple login page is enough.

For example, an attacker could create a typo-squatted page with a login field hosted on a subdomain (e.g. login.digitleshadows[.]com). This URL can then be embedded in a phishing email and distributed to potential victims. Once the recipient clicks the link, they’re directed to the spoofed login page. Any credentials entered on the spoofed page are stored and exfiltrated to an attacker-controlled server. So as to not raise suspicions, many phishing pages are also configured to redirect users to the legitimate website of the company after credentials are entered.

Fake Maersk login portal

Figure 17: Fake Maersk login portal

 

Psssst! We help monitor for phishing pages like this for our clients. Interested in seeing how?
Request a live demo with our team here.

 

Credential harvesting techniques aren’t the only trap you might find on a phishing page; malware can frequently be found lurking in a page’s background―whether a drive-by download being delivered by an exploit kit hosted on the page, or a prompt to download a seemingly too-good-to-be-true “free application”.

Directly cloning websites is also a popular technique among aspiring phishers, and requires little technical skill to get up and running. There are modules within the open-source penetration testing software Metasploit that can directly copy webpages, and other tools were recommended by users of the now-defunct Kickass forum. XDAN CopySite is a service that allows users to enter their domain of choice and produce a static version of the webpage by generating the HTML files of pages hosted on the domain within a matter of seconds.

URL links to XDAN Copy Site shared across forums and messaging appsFigure 18: URL links to XDAN Copy Site shared across forums and messaging apps

 

There are also several open-source tools originally designed for penetration testing that have been adopted for use in phishing attacks. Modlishka, for example, can help automate phishing attacks and bypass MFA. The tool facilitates a kind of man-in-the-middle (MITM) attack by intercepting traffic and acting as a reverse proxy; once the victim enters their credentials for whatever service the attacker is imitating, they are then directed to the legitimate service.

Any MFA tokens requested by the service can also be intercepted by the attacker in real time, allowing them to log in and create “legitimate” sessions. The victim’s information can be harvested without raising any suspicion. Modlishka isn’t the only tool around that can make life easier for the phisher; such open-source tools as Evilginx 2 function in a similar way.

Post from an XSS user requesting help with Evilginx 2 and Modlishka

Figure 19: Post from an XSS user requesting help with Evilginx 2 and Modlishka

 

2. Malware

Of course, phishing site links aren’t the only things delivered in a phishing email. Malware of all shapes and sizes―including ransomware, credential harvesters, and remote access trojans (RATs)―are all frequently delivered via phishing emails, typically within an email attachment, like a Microsoft Word document or an Adobe PDF file. 

Malware can steal a variety of things from a computer, including credentials, documents, and system resources. Credential harvesting is a common feature of popular malware as it provides the attacker with data that can be easily translated into money in their pockets through fraud (a topic we’ll get to next).

TrickBot

An example of a credential stealer is “TrickBot”, a banking trojan that was first detected in September 2016 and has since been developed to incorporate the targeting of multiple geographies and online services. Its purpose was to gain unauthorized access to customer bank accounts to facilitate fraudulent transactions, but it also targeted users of online services, such as SalesForce and cryptocurrency services.

TrickBot was reportedly delivered via spam emails containing malicious attachments, including some distributed by the “Necurs” botnet, and via the “RIG” exploit kit. In some cases, TrickBot used an exploit called “EternalBlue” (affecting CVE-2017-0144) or Windows API calls to propagate in a local network.

The functions and activities of TrickBot are reportedly very similar to the “Dyre” banking trojan, and researchers identified a connection there: At least one of the developers of Dyre was involved in the development of TrickBot. Widespread targeting and rapid, continuing development meant that the malware represents a medium threat level at the time of writing.

 FormBook


One information stealer is FormBook, which was offered for sale on forums and marketplaces beginning in early 2016, enabling various threat actors to conduct attacks. FormBook was identified in campaigns targeting the aerospace, defense, and manufacturing industries in the United States and South Korea from July to September 2017. Its functions included logging keystrokes, capturing credentials, and taking screenshots. It could also execute additional files, including malicious payloads. The distributor of the malware halted sales on HackForums[.]net on 05 Oct 2017 following use of the malware in email campaigns.

Then there’s botnet recruiters: an especially devious way to get access to victims’ resources. Those victims who have abundant system resources―like Intel’s new Core i512 processor with a terabyte of ram and six SLI graphics cards lined up to handle the newest “Call of Duty”―may not think twice if those resources are running 1% higher than normal. No big deal, right?  

Wrong, for a variety of reasons. That driver they downloaded from a third-party website to run that graphics card was actually malware, designed to recruit their system into a larger pool of systems, controlled by an attacker. This network of bots can conduct DoS attacks, mine cryptocurrency, and hide their own malicious traffic through your network.

“Satori” is a variant of the “Mirai” malware and is used to compromise Internet of Things (IOT) devices to turn them into a botnet. Three variants of the malware have been detected to date. It’s been described as “wormable” because of its use of exploits to target IOT devices, rather than relying on a scanner to identify additional targets after infection.

satori exploit poc

 

Proof of concept source code for a Satori-controlled exploit was leaked in late December 2017 by an unknown threat actor. To date, the botnet hasn’t been used to conduct malicious activity, and it could be in early construction phase. It has the potential to be used for DoS attacks, distribute spam, and conduct information-gathering activities. Pending further activity by this botnet, it poses a low threat at the time of writing.

 

3. Social engineering

Phishing pages and malware can both be detected and blocked, but direct social engineering is much harder to spot. Detection of the first two rely on technical indicators that point to a specific threat, which can be mitigated automatically by, for example, spam blockers or malware scanners. Social engineering relies on exploits against the human operating the device.

BEC attacks are an extremely common type of social engineering, typically designed for use against a specific target. Digital Shadows has done extensive research around this technique, conducting HUMINT interactions with threat actors to determine methodology. BEC inherently relies on tactics of deception, compromising or spoofing the email account of, for example, a company executive to entice lower-level employees into releasing funds or sensitive documents, as shown in Figures 20 and 21.

 Example of a typical BEC attempt

Figure 20: Example of a typical BEC attempt

Example of a typical BEC attempt 2

Figure 21: Example of a typical BEC attempt

 

Such phishing emails have to be convincing and realistic. An email from someone’s CEO, asking them to transfer money immediately but in a message full of grammar mistakes would almost certainly raise red flags. That’s why some BEC attacks can involve substantial reconnaissance to figure out exactly how a certain person writes.

Of course, BEC isn’t the only form of social engineering that can take place via phishing emails. Let’s look at extortionanother topic Digital Shadows has heavily researched (see our report, Extortion exposed: Sextortion, thedarkoverlord, and SamSam) specifically, a subgenre called sextortion. In the latter half of 2018, Digital Shadows collected information regarding these campaigns, like how widespread they were and the amount of money they were making.

Breakdown of sextortion statistics Figure 22: Breakdown of sextortion statistics

 

89,000 recipients and $332,000 later, sextortion proved to be a huge hit in the cybercriminal landscape. This kind of extortion uses the previously established method of preying on the victim’s conscience and urging them to respond quickly, but adds another, vicious angle. The phishing email sender claims to have compromising information about the recipient, like sensitive account details for porn websites or even videos of them visiting these sites.

 

Cashing out a phishing attack: Collect the reward

The most visible aspect of fishing is the catch. This is what gets all the fame and glory in the news, with pictures of fishermen standing around their 1,000-lb marlin, hoisted up on a dock. No one wants to see an empty boat, with tired fishermen and empty lines, or watch them buy bait at the store. To the general masses, it’s all about the catch.

The same is true for phishing. One of the highest-profile breaches in the past few years, the Anthem Healthcare data breach, resulted directly from spearphishing attacks against the company. According to a May 2019 indictment of the alleged attackers, a lot of data was stolen, including personally identifiable information (PII) and confidential business information, which originated from phishing emails and malware infections.

anthem cyber breach

 

This was a really big deal at the time, but that’s just one attack, one breach, one company. Looking at this from a higher level, attackers have various goals when they phish.

Let’s take the example of PII stolen via a phishing attack. PII comes in all shapes and sizes on the dark web, with vendors selling fullz, or complete personal records, or specific items, like passport information, and everything in between. This data can be stolen via any of the methods we’ve outlined aboveinformation-stealing malware, phishing pages designed to harvest information, or direct communications with a victim―but attackers certainly aren’t limited to these methods.

There are a few different paths an attacker can take with a victim’s PII:

  • Direct identity fraudthat is, identity fraud that targets a victim using their already established assets, like bank accountshas been an ongoing issue for years. In a 2019 study, Javelin Research highlighted that even though the number of victims fell between 2017 and 2018, from 16.7 million to 14.4 million, the financial effects were more harsh on its victims; 23% of fraud victims had expenses that didn’t get reimbursed after paying out to fraudsters, an increase over the last year.
  • New-account fraud, by which an attacker uses illicitly gained PII to create new assets, like credit cards or mortgage loans, unbeknownst to the victim, resulted in losses of $3.4 billion in 2018.
  • PII can be resold on dark web forums, as described above. Prices typically depend on the amount of data included with a package, the number of records, and how fresh the data is.
  • Facilitating further attacks is another option for all types of data. PII can be used to send extortion emails for blackmail, or even used to conduct account takeovers.

Breakdown of goals for various types of phishing attack

Figure 23: Breakdown of goals for various types of phishing attack

 

Obviously, PII isn’t the only thing stolen from a phishing attack: Enter the lovely chart in Figure 23! Reading it like “PII can be used for direct identity fraud for profit” or “Credentials stolen through corporate espionage phishing attacks can be used to start a new attack cycle”.

  

5 Phishing Mitigation Tips

Phishing license denied!

““Phish,” he said, “I love you and respect you very much. But I will kill you dead before this day ends.”
― Ernest Hemingway, The Old Man and the Sea, as adapted by Charles Ragland, security engineer, Digital Shadows

All the methods and results we’ve described can start with that first phishing email. Whether it’s a misspelled, poorly formatted message or a well-crafted and carefully researched impersonation email, the spin-off pathways are myriad. This is why phishing remains one of, if not THE, most prevalent attack technique.

Despite this, there’s no surefire silver bullet that can mitigate the phishing threat. We’ve said it before (along with many, many others) and we’ll type it again: If someone solves the phishing problem, 99% of cyber attacks will be mitigated. That’s probably an exaggeration, but you get the idea.

But we live in the here and now, so the Photon Research team has put together a few phishing mitigation strategies that can help companies big and small.

  1. Limit the information your organization and employees share online, including on social media sites. The most successful phishers perform detailed reconnaissance so they can craft the most effective emails and social engineering lures.
  2. Monitor for registrations of typo-squatted domains that attackers can use to impersonate your brand, send spoofed emails, and host phishing pages.
  3. Implement additional security measures, such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM). These can make the spoofing of your domain more difficult. Check out our detailed practitioner’s guide to combating email spoofing risks.
  4. Protect your accounts in case phishers do manage to steal user credentials. Two-factor authentication measures should be mandated across the organization and implemented whenever possible.
  5. Train your employees how to spot phishing emails and, more importantly, give them a clear and recognized reporting method to alert security teams of suspected phishing attempts. Eventually, a phishing email will fall through the net. Employees need to know how to react to these quickly and should not fear any repercussions of being the victim of a social engineering attack.

Thanks for sticking with us through this in-depth phishing piece! If you want to learn more about how Digital Shadows can help your organization, check out our Phishing Protection page or request a demo below.

 

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

connect with us

Related Posts

COVID-19: Companies and Verticals At Risk For Cyber Attacks

COVID-19: Companies and Verticals At Risk For Cyber Attacks

March 26, 2020 | 8 Min Read

  In our recent blog, How cybercriminals...
Threat Model of a Remote Worker

Threat Model of a Remote Worker

March 25, 2020 | 7 Min Read

  Threat models are an often discussed...
COVID-19: Dark Web Reactions

COVID-19: Dark Web Reactions

March 19, 2020 | 5 Min Read

  Digital Shadows has been researching...