Why is one of cyber crime’s oldest threats still going strong? The Anti-Phishing Working Group (APWG) reports that January 2021 marked an unprecedented high in the APWG’s records, with over 245,771 phishing attacks in one month.

IBM X-Force’s 2021 Threat Intelligence Index found that phishing led to 33% of cyber attacks organizations had to deal with. Phishing, an online threat that emerged in the mid-1990s, today continues to be a top cyber crime practice that impacts brands and companies and is a prolific initial compromise vector in nation-state attacks.

What makes phishing so pervasive? Why is it still successful? Cyber criminals have been developing their abilities over time. Many attacks are more sophisticated, harder to detect and, most of all, easier for criminals to create and deploy at scale. Phishing attacks can cause losses to the tune of $17,700 per minute and are among the leading threats. An annual FBI report calculated losses of over $4 billion in 2020 from internet crimes, with phishing attacks leading the way. Evidently, phishing is a rampant threat that continues to plague consumers, companies and nations, and one that requires ongoing education and mitigation efforts.

IBM’s Deep Dive Into Phishing Attacks

To gain deeper insight into phishing, IBM Security conducts continuous research into the phishing kits and phishing sites that fuel this cyber crime domain. Looking at phishing kits on the code level, IBM researchers have analyzed over 40,000 phishing kits and deconstructed them to their basic elements. We analyze objects like exfiltration methodologies, uncover compromised data and monitor live phishing campaigns. Think of this research as enabling a sandbox for phishing.

Micro-analyzing the elements of each kit gives us detailed insight and the ability to detect new phishing sites with zero false positives. We can also deduct the proliferation of both kits and campaigns and collect data to see the current activity of a given phishing site.

The goal of IBM’s research is a zero-day detection for phishing sites that directly results in blocking access to those pages in real-time. It can also mean blocking the exfiltration of data for those users that have already been breached.

This post on our research work is the first in a series of blogs that describe our findings and their significance to the anti-fraud, cyber crime and threat intelligence communities.

Phishing at Scale — Quick and Dirty Scam

It is easier and cheaper than ever for phishers to scale their attacks. Phishing itself does not merit much more — it’s a very short-lived form of online threat, typically lasting an average of 21 hours from launch to takedown.

According to previously published research, it takes an average of nine hours after a victim visits a malicious domain for the first detection to come in, and another seven hours after that for browser blocking to take effect and reach a peak in the detection of that site. What about the extra five hours in that life cycle? Those can be accounted for in the time it takes victims to receive the link and start browsing the site.

Kit Code and Hosting – Use and Reuse

Since the lifespan of a phish is quite limited, it is not economically viable for most run-of-the-mill attackers to invest in its inner workings or infrastructure. They, therefore, mostly use the same existing kits with the same codes and same methods to launch the same sorts of attacks over and over. That’s also what makes their attacks all that much easier to detect.

The majority of phishing sites we see in our day-to-day analysis originate from phishing kits that are available for purchase on the dark web and are being reused by many different actors. Typical kits are professionally written and can contain thousands of lines of code. They can be configurable based on the campaign and even have proper error reporting. These kits range in price from a few hundred to a few thousand dollars and can be deployed in a matter of minutes.

Conversely, malware attacks change all the time, shifting tactics around for all aspects, especially the underlying code.

Cheap Hosting

In most of the attacks we observe, phishers register cheap domains for malicious use, host attacks on a compromised domain or a combination of both. Some domain registrations are easy to fund, and this does not require exploiting or compromising an existing site. The downside is that it’s easier to detect and block a standalone malicious site versus an attack hosted on an established legitimate one. Dark web vendors who play in the phishing game sell access to compromised servers, but this option does raise the overall cost of the attack.

Target Lists $50 to $500

Once the phishing attack is ready, it has to get in front of potential victims. To send it out to the right audience, phishers can either contract an underground service that specializes in spamming, or they can go ahead and buy their own target lists. Target lists can be specific to a region or a language and can help attackers get into inboxes of webmail providers and company emails alike. Depending on the viability of the data and its contents, email lists can go for $50 to $500. The price is offset by the reuse of the same list for other attacks or reselling it to other criminals.

Spam Campaign — the Must-Haves

For a phishing campaign to be effective, it requires some basic features that help the phisher get things going:

  • A spamming service or an application that can send emails/texts containing the phishing URL
  • A service or an application that schedules campaigns
  • A service or an application that can upload target data to the domain
  • Codebase for a website that mimics legitimate brands — aka a kit
  • A way to collect and move data that the victim provides on the phishing page
  • A way to gather statistics on the attack campaign’s success over its life cycle.

Phishing campaigns are so pervasive due to the relatively humble cost of phishing kits and the ease of deployment. In fact, we can see multiple phishing campaigns deployed by the same individual on the same day.

Can phishers face legal consequences? Sometimes, but most often, phishers use mules and fake identities to front the campaigns, concealing the true identities of the perpetrators.

Coming Next – Phishing Kit DNA

Phishers may be obscure in nature, but phishing kits can definitely be analyzed and detected. The faster a malicious page is identified, the sooner it can be blocked. To that effect, IBM Security has developed a way to drill down into kits’ DNA and identify phishing pages with certainty. This allows for faster blocking. IBM worked with Quad9 to develop a malicious content blocking tool that is available at no cost to anyone who directs their DNS to Quad9. It’s public, and it’s free.

Stay tuned to this blog post for the next installment to learn more about how we analyze kit DNA.

More from Advanced Threats

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today