How phishing is turning into a business for hackers
Phishing remains one of the most widely used attack methods by hackers today. Social engineering is an effective tool for delivering malware payloads, such as ransomware. And thus, any hacker or malicious gang out for profit typically builds a phishing campaign.
But it’s not just effectiveness that keeps phishing on top. Now, phishing kits are part of dark web sales, granting even the most novice of users all the resources they need to start with basic phishing attacks. I’ve already talked about RaaS kits (ransomware as a service), but with entry-level phishing models made available, we’re headed for dangerous times indeed.
It used to be a cyberattack requiring a sharp degree of knowledge and IT skills. In fact, early examples of ransomware and attacking malware required teams of experts. If you took a swing at a government agency, you were well supplied, funded, and trained. But now, tools that can shut down critical networks are becoming a commodity.
New phishing schemes
HelpNet did a deep dive, utilizing several months of research to identify the surge of phishing kits. These kits, as you might guess, are equipped with everything needed to launch complex campaigns for identify theft and data collection.
From HelpNet’s surveys, which they collected from examining relevant email traffic, they found a few things. One was a heavier increase of mobile-based attacks (such as through smartphones and tablets). Other discoveries found that the most impersonated brands were big tech names like Amazon. Bank names were also used in phishing kit attacks like Wells Fargo and Chase Bank.
Targets of these spam attacks would either receive it through email or SMS texts. Therefore, HelpNet noticed the biggest trending behavior with phishing attacks was greater focus on mobile. It makes sense, given the high use of mobile devices. More so that phishing attacks via mobile devices are unfamiliar territory for many, and users may not recognize one when they see it. Recognition, after all, is a key part of thwarting a phishing strike.
The primary reason for increased emphasis on mobile-based attacks is, as HelpNet surmises, in response to the increase in email security. Today, most apps and services recommend or require both improved passwords, maintain password monitoring, and use two-factor/multi-factor authentication. Desktop nodes are equipped with numerous layers of security, even at a basic level, making a cyber attack much more difficult. And the more difficult it is to approach a target, the less encouraged hackers are.
Mobile devices, however, have fewer protections (for now).
What kind of phishing kits are available?
Like a grocery store for digital criminals, opportunists have a few choices of phishing kits to work with. Five are known to exist, and it’s possible more variants will be available in the future to hackers.
- Basic – Simple files are available in basic kits, with Java, HTML, and PHP scripts.
- Puppeteer Kits – Aimed at collecting banking info, via the process of taking control of a user’s system/directly talking with a victim (similar to gift card scams).
- Dynamic – Special code is included to deliver ‘dynamic’ content to victims, completely unique to each target. Anything from falsified web pages and logins are included in this kit type.
- Commercial – The most popular variant and the one imitating services. Commercial phishing kits are available to buyers who have access to customer support resources and can customize what they want from the kit.
- Frameworks – These operate as apps, executing phishing pages on makeshift web pages.