US-Council News

Phishing Services Reap Twice The Profit For Attackers

Attackers tap the cloud to reduce costs and increase efficiency of their phony and malicious emails, according to a new Imperva study.

Everything else has gone to the cloud, so why not faux emails and their malicious payloads?

That's the upshot of a study released this week that points to cloud-based, "phishing-as-a-service" (PhaaS)," as a more lucrative technique for cybercriminals. It's a way for attackers to reduce the cost to acquire target email addresses and send out malicious content intended to generate more clicks – and it more than doubles the profit of conventional phishing attacks.

"Compromised Web servers used in PhaaS platforms significantly lower the costs of a phishing campaign and help the cybercriminals hide their tracks," security vendor Imperva said in its new report. According to Imperva, after compiling costs for phishing pages, a spam server, a list of 100,000 email addresses, and access to compromised servers, the total cost of a phishing scam comes to about $28 with the cloud-based approach.

Phishing remains a perennially effective way to cadge logons and passwords from hapless users, In recent months, phishing emails have become a way to infect desktops and servers with ransomware, which infosec professionals continually cite as their biggest ongoing concern and defense priority.

PhaaS is re-defining the market and can reduce costs of a standard phishing campaign to a quarter of current prices, Imperva adds. Reduced labor costs means higher profit margins, Imperva adds, and even allows novices to run multiple, simultaneous campaigns. "We can therefore predict a rising demand for PhaaS markets, since it lowers both the cost and the technology barriers," the report said.

Other findings from the research, which was done in conjunction with threat intelligence vendor Intsights, include:

  • Attacks are most successful between 9 am and 12 noon, when 35% of phishing clicks were recorded, suggesting phishers know to catch people early in their work day.  Another spike occurs at 2 pm.
  • Victims are more likely to enter their username and password when opening what they think is a legitimate PDF attachment than they are to click on a URL in the email.
  • 68% of the victims’ credentials hadn't been captured in previously known public breaches.

To mitigate PhaaS, Imperva encourages organizations to blacklist known phishing sites. The vendor also recommends dynamically blocking suspicious patterns included in source code that can point to fraudulent requests, like those based on cross-domain source references, consuming images, fonts, and other resources from an external source.

Imperva, a Web application firewall security company, also suggests a "communal approach" and building a continuously updating reputation database. That’s supposed to make it possible to identify and block known malicious sources and defend against application distributed denial-of-service (DDoS), site scraping, and comment spam.

"We've tried to understand the motives of the attackers, which we believe are financial," says Itsik Mantin, director of security research at Imperva. So as long as they remain profitable, most Web servers are easily exploited.

"Make your Web server less vulnerable by patching it and keeping it up to date. That helps make the attack less profitable or unprofitable for the attackers," he says.

Those are good ideas, but not completely realistic for most organizations, according to Christopher Hadnagy, chief human hacker for consultancy Social-Engineer LLC in Pennsylvania. "That solution is reactive, not proactive -- the only time you can block a phishing site is after it's been labeled a phishing site," Hadnagy says.

"That's the thing about Amazon Web Services … if a phisher's server gets blocked, they burn it and build another one," he explains. "And no one's going to block AWS … you can't block everything."

The best mitigation technique is still training and educating employees to catch and report legitimate phishing, Hadnagy adds. "A proactive approach that teaches people to identify phish is more important."