Security Experts:

Connect with us

Hi, what are you looking for?



There Are Plenty of Phish in the Sea

There Are Plenty of Phish in the Sea for Commercial Phishers and Weekend Scammers Alike

The phish market is open. And you don’t have to be an experienced angler to land a catch of the day.

There Are Plenty of Phish in the Sea for Commercial Phishers and Weekend Scammers Alike

The phish market is open. And you don’t have to be an experienced angler to land a catch of the day.

Not that long ago, in order to successfully scam someone online, you needed to have at least a modicum of digital savvy. Newbies and less talented scammers tended to leave behind telltale signs of their shortcomings. Bad grammar. Misspellings. Poor design. Goofy graphics. Broken links. So, if you happened to be on the receiving end, you would find revealing signs that something was amiss. That was then.

Today, for modest amounts of money, would-be scammers can buy high-quality phishing tools online, through the Dark Web, enabling them to skip all the fuss and bother of actually learning how to code or do graphics or any of the other steps required to successfully scam someone. As a result, the barriers to entering the field of malevolent online behavior have been significantly lowered. 

You can, for example, buy ready-made templates – pre-built pages that convincingly clone the look of a major online brand – for as little as $2 or $3. Retail and e-commerce pages sell for an average of $20.43. Bank page knockoffs, on the other hand, average $68 – likely due to the better financial opportunities it could afford, at least according to our research team which found more than 100 ads for pre-fab phishing pages and templates on the Dark Web. But the top prize goes to several investment firms with whom wealthy clients entrust their money. There the price of a phishing page averaged $338.

Phishing – essentially stealing sensitive information like passwords, credentials, reset notifications and other forms of access through trickery – is the single most common form of online attack.  It comes in many flavors and has been used by everyone from entry-level scammers to nation-state actors.  But the specific tactics needed to pull one off will largely depend on the target.  Targeting a specific high-ranking executive, for example, will require a more nuanced and personalized approach than a broad-scale attack potentially reaching millions.  And while most attackers use trickery to extract valuable information, various forms of extortion, including what is being referred to as sextortion, are sometimes used – leading the recipient to believe that compromising information about their computer use has been captured.  But whatever their method, most scams will involve using email at a critical juncture.  So it has to look authentic.

Commercially available templates created to mimic legitimate email from popular services are typically used to convince recipients that their message came from a known sender.  You can buy them from online criminal forums and marketplaces, no questions asked.  You can also buy how-to guides to improve your skill in social engineering scams.  And these templates can be combined with complete phishing kits – all-in-one tool sets that have everything someone would need to launch an attack: ready-built websites, spoofed login pages, trackers, spam lists, even compromised servers and botnets – which can be bought outright or on an as-needed basis through as-a-service platforms.  

Personally Identifiable Information about millions of people is widely traded on the Dark Web. Very useful to con the unsuspecting. Also available online are information-stealing programs such as FormBook, which are frequently used to target aerospace, defense and manufacturing companies.  They work by logging in the target’s keystrokes, capturing their credentials, executing malicious files, and collecting screenshots of work in progress.  Some them have been appropriated and repurposed from penetration testing tools developed for security pros.

Of course, scamming people half a world away can be lonesome work.  So it’s not unusual to find advertisements and announcements on the Dark Web from people who are looking for a partner in crime – ideally someone with a complementary skill set and a Rolodex of additional resources.  

But with crime-as-a-service operating openly in the parallel universe of the Dark Web, and all the tools needed to initiate a scam both in stock and available at low cost to anyone, is it still possible to defend yourself and your organization against attack?  We think so.  But cyber attackers are resourceful and their devious methods continue to evolve.  So nothing is 100 percent foolproof.  That said, however, there are a handful of mitigation measures that make a great deal of sense. 

• Limit the information your employees share online, including on social media.  Successful phishers perform detailed online reconnaissance so they can craft the most effective emails and social engineering lures.

• Monitor for registrations of typo-squatted domain names that look like yours which attackers can use to impersonate your brand, send spoofed emails, and host phishing pages.

• Implement additional security measures, such as Sender Policy Framework, Domain Message Authentication Reporting and Conformance, and Domain Keys Identified Mail.  They can make the spoofing of your domain more difficult. 

• Protect your accounts in case phishers do manage to steal user credentials.  Two-factor authentication measures should be mandated across the organization and implemented whenever possible.

• Train your employees how to spot phishing emails.  Give them a clear and recognized reporting method that will alert security teams to suspected phishing attempts.  Employees need to know how to react quickly and should not fear repercussions in case they become the victim of a social engineering attack.

And good luck always helps.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...