Security Experts:

There Are Plenty of Phish in the Sea

There Are Plenty of Phish in the Sea for Commercial Phishers and Weekend Scammers Alike

The phish market is open. And you don’t have to be an experienced angler to land a catch of the day.

Not that long ago, in order to successfully scam someone online, you needed to have at least a modicum of digital savvy. Newbies and less talented scammers tended to leave behind telltale signs of their shortcomings. Bad grammar. Misspellings. Poor design. Goofy graphics. Broken links. So, if you happened to be on the receiving end, you would find revealing signs that something was amiss. That was then.

Today, for modest amounts of money, would-be scammers can buy high-quality phishing tools online, through the Dark Web, enabling them to skip all the fuss and bother of actually learning how to code or do graphics or any of the other steps required to successfully scam someone. As a result, the barriers to entering the field of malevolent online behavior have been significantly lowered. 

You can, for example, buy ready-made templates – pre-built pages that convincingly clone the look of a major online brand – for as little as $2 or $3. Retail and e-commerce pages sell for an average of $20.43. Bank page knockoffs, on the other hand, average $68 – likely due to the better financial opportunities it could afford, at least according to our research team which found more than 100 ads for pre-fab phishing pages and templates on the Dark Web. But the top prize goes to several investment firms with whom wealthy clients entrust their money. There the price of a phishing page averaged $338.

Phishing – essentially stealing sensitive information like passwords, credentials, reset notifications and other forms of access through trickery – is the single most common form of online attack.  It comes in many flavors and has been used by everyone from entry-level scammers to nation-state actors.  But the specific tactics needed to pull one off will largely depend on the target.  Targeting a specific high-ranking executive, for example, will require a more nuanced and personalized approach than a broad-scale attack potentially reaching millions.  And while most attackers use trickery to extract valuable information, various forms of extortion, including what is being referred to as sextortion, are sometimes used – leading the recipient to believe that compromising information about their computer use has been captured.  But whatever their method, most scams will involve using email at a critical juncture.  So it has to look authentic.

Commercially available templates created to mimic legitimate email from popular services are typically used to convince recipients that their message came from a known sender.  You can buy them from online criminal forums and marketplaces, no questions asked.  You can also buy how-to guides to improve your skill in social engineering scams.  And these templates can be combined with complete phishing kits – all-in-one tool sets that have everything someone would need to launch an attack: ready-built websites, spoofed login pages, trackers, spam lists, even compromised servers and botnets – which can be bought outright or on an as-needed basis through as-a-service platforms.  

Personally Identifiable Information about millions of people is widely traded on the Dark Web. Very useful to con the unsuspecting. Also available online are information-stealing programs such as FormBook, which are frequently used to target aerospace, defense and manufacturing companies.  They work by logging in the target’s keystrokes, capturing their credentials, executing malicious files, and collecting screenshots of work in progress.  Some them have been appropriated and repurposed from penetration testing tools developed for security pros.

Of course, scamming people half a world away can be lonesome work.  So it’s not unusual to find advertisements and announcements on the Dark Web from people who are looking for a partner in crime – ideally someone with a complementary skill set and a Rolodex of additional resources.  

But with crime-as-a-service operating openly in the parallel universe of the Dark Web, and all the tools needed to initiate a scam both in stock and available at low cost to anyone, is it still possible to defend yourself and your organization against attack?  We think so.  But cyber attackers are resourceful and their devious methods continue to evolve.  So nothing is 100 percent foolproof.  That said, however, there are a handful of mitigation measures that make a great deal of sense. 

• Limit the information your employees share online, including on social media.  Successful phishers perform detailed online reconnaissance so they can craft the most effective emails and social engineering lures.

• Monitor for registrations of typo-squatted domain names that look like yours which attackers can use to impersonate your brand, send spoofed emails, and host phishing pages.

• Implement additional security measures, such as Sender Policy Framework, Domain Message Authentication Reporting and Conformance, and Domain Keys Identified Mail.  They can make the spoofing of your domain more difficult. 

• Protect your accounts in case phishers do manage to steal user credentials.  Two-factor authentication measures should be mandated across the organization and implemented whenever possible.

• Train your employees how to spot phishing emails.  Give them a clear and recognized reporting method that will alert security teams to suspected phishing attempts.  Employees need to know how to react quickly and should not fear repercussions in case they become the victim of a social engineering attack.

And good luck always helps.

view counter
Alastair Paterson is CEO and Co-Founder of Digital Shadows. Alastair has worked for over a decade advising secure government and FTSE 100 clients on large-scale data analytics for risk and intelligence. Before founding Digital Shadows in 2011, Alastair was International Propositions Manager at BAE Systems Detica working with clients in the Gulf, Europe and Australasia. He holds a first class MEng in Computer Science from the University of Bristol.