Why is one of cyber crime’s oldest threats still going strong? The Anti-Phishing Working Group (APWG) reports that January 2021 marked an unprecedented high in the APWG’s records, with over 245,771 phishing attacks in one month.

IBM X-Force’s 2021 Threat Intelligence Index found that phishing led to 33% of cyber attacks organizations had to deal with. Phishing, an online threat that emerged in the mid-1990s, today continues to be a top cyber crime practice that impacts brands and companies and is a prolific initial compromise vector in nation-state attacks.

What makes phishing so pervasive? Why is it still successful? Cyber criminals have been developing their abilities over time. Many attacks are more sophisticated, harder to detect and, most of all, easier for criminals to create and deploy at scale. Phishing attacks can cause losses to the tune of $17,700 per minute and are among the leading threats. An annual FBI report calculated losses of over $4 billion in 2020 from internet crimes, with phishing attacks leading the way. Evidently, phishing is a rampant threat that continues to plague consumers, companies and nations, and one that requires ongoing education and mitigation efforts.

IBM’s Deep Dive Into Phishing Attacks

To gain deeper insight into phishing, IBM Security conducts continuous research into the phishing kits and phishing sites that fuel this cyber crime domain. Looking at phishing kits on the code level, IBM researchers have analyzed over 40,000 phishing kits and deconstructed them to their basic elements. We analyze objects like exfiltration methodologies, uncover compromised data and monitor live phishing campaigns. Think of this research as enabling a sandbox for phishing.

Micro-analyzing the elements of each kit gives us detailed insight and the ability to detect new phishing sites with zero false positives. We can also deduct the proliferation of both kits and campaigns and collect data to see the current activity of a given phishing site.

The goal of IBM’s research is a zero-day detection for phishing sites that directly results in blocking access to those pages in real-time. It can also mean blocking the exfiltration of data for those users that have already been breached.

This post on our research work is the first in a series of blogs that describe our findings and their significance to the anti-fraud, cyber crime and threat intelligence communities.

Phishing at Scale — Quick and Dirty Scam

It is easier and cheaper than ever for phishers to scale their attacks. Phishing itself does not merit much more — it’s a very short-lived form of online threat, typically lasting an average of 21 hours from launch to takedown.

According to previously published research, it takes an average of nine hours after a victim visits a malicious domain for the first detection to come in, and another seven hours after that for browser blocking to take effect and reach a peak in the detection of that site. What about the extra five hours in that life cycle? Those can be accounted for in the time it takes victims to receive the link and start browsing the site.

Kit Code and Hosting – Use and Reuse

Since the lifespan of a phish is quite limited, it is not economically viable for most run-of-the-mill attackers to invest in its inner workings or infrastructure. They, therefore, mostly use the same existing kits with the same codes and same methods to launch the same sorts of attacks over and over. That’s also what makes their attacks all that much easier to detect.

The majority of phishing sites we see in our day-to-day analysis originate from phishing kits that are available for purchase on the dark web and are being reused by many different actors. Typical kits are professionally written and can contain thousands of lines of code. They can be configurable based on the campaign and even have proper error reporting. These kits range in price from a few hundred to a few thousand dollars and can be deployed in a matter of minutes.

Conversely, malware attacks change all the time, shifting tactics around for all aspects, especially the underlying code.

Cheap Hosting

In most of the attacks we observe, phishers register cheap domains for malicious use, host attacks on a compromised domain or a combination of both. Some domain registrations are easy to fund, and this does not require exploiting or compromising an existing site. The downside is that it’s easier to detect and block a standalone malicious site versus an attack hosted on an established legitimate one. Dark web vendors who play in the phishing game sell access to compromised servers, but this option does raise the overall cost of the attack.

Target Lists $50 to $500

Once the phishing attack is ready, it has to get in front of potential victims. To send it out to the right audience, phishers can either contract an underground service that specializes in spamming, or they can go ahead and buy their own target lists. Target lists can be specific to a region or a language and can help attackers get into inboxes of webmail providers and company emails alike. Depending on the viability of the data and its contents, email lists can go for $50 to $500. The price is offset by the reuse of the same list for other attacks or reselling it to other criminals.

Spam Campaign — the Must-Haves

For a phishing campaign to be effective, it requires some basic features that help the phisher get things going:

• A spamming service or an application that can send emails/texts containing the phishing URL
• A service or an application that schedules campaigns
• A service or an application that can upload target data to the domain
• Codebase for a website that mimics legitimate brands — aka a kit
• A way to collect and move data that the victim provides on the phishing page
• A way to gather statistics on the attack campaign’s success over its life cycle.

Phishing campaigns are so pervasive due to the relatively humble cost of phishing kits and the ease of deployment. In fact, we can see multiple phishing campaigns deployed by the same individual on the same day.

Can phishers face legal consequences? Sometimes, but most often, phishers use mules and fake identities to front the campaigns, concealing the true identities of the perpetrators.

Coming Next – Phishing Kit DNA

Phishers may be obscure in nature, but phishing kits can definitely be analyzed and detected. The faster a malicious page is identified, the sooner it can be blocked. To that effect, IBM Security has developed a way to drill down into kits’ DNA and identify phishing pages with certainty. This allows for faster blocking. IBM worked with Quad9 to develop a malicious content blocking tool that is available at no cost to anyone who directs their DNS to Quad9. It’s public, and it’s free.

Stay tuned to this blog post for the next installment to learn more about how we analyze kit DNA.