Endpoint

12/8/2016
01:30 PM
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Phishing Services Reap Twice The Profit For Attackers

Attackers tap the cloud to reduce costs and increase efficiency of their phony and malicious emails, according to a new Imperva study.

Everything else has gone to the cloud, so why not faux emails and their malicious payloads?

That's the upshot of a study released this week that points to cloud-based, "phishing-as-a-service" (PhaaS)," as a more lucrative technique for cybercriminals. It's a way for attackers to reduce the cost to acquire target email addresses and send out malicious content intended to generate more clicks – and it more than doubles the profit of conventional phishing attacks.

"Compromised Web servers used in PhaaS platforms significantly lower the costs of a phishing campaign and help the cybercriminals hide their tracks," security vendor Imperva said in its new report. According to Imperva, after compiling costs for phishing pages, a spam server, a list of 100,000 email addresses, and access to compromised servers, the total cost of a phishing scam comes to about $28 with the cloud-based approach.

Phishing remains a perennially effective way to cadge logons and passwords from hapless users, In recent months, phishing emails have become a way to infect desktops and servers with ransomware, which infosec professionals continually cite as their biggest ongoing concern and defense priority.

PhaaS is re-defining the market and can reduce costs of a standard phishing campaign to a quarter of current prices, Imperva adds. Reduced labor costs means higher profit margins, Imperva adds, and even allows novices to run multiple, simultaneous campaigns. "We can therefore predict a rising demand for PhaaS markets, since it lowers both the cost and the technology barriers," the report said.

Other findings from the research, which was done in conjunction with threat intelligence vendor Intsights, include:

  • Attacks are most successful between 9 am and 12 noon, when 35% of phishing clicks were recorded, suggesting phishers know to catch people early in their work day.  Another spike occurs at 2 pm.
  • Victims are more likely to enter their username and password when opening what they think is a legitimate PDF attachment than they are to click on a URL in the email.
  • 68% of the victims’ credentials hadn't been captured in previously known public breaches.

To mitigate PhaaS, Imperva encourages organizations to blacklist known phishing sites. The vendor also recommends dynamically blocking suspicious patterns included in source code that can point to fraudulent requests, like those based on cross-domain source references, consuming images, fonts, and other resources from an external source.

Imperva, a Web application firewall security company, also suggests a "communal approach" and building a continuously updating reputation database. That’s supposed to make it possible to identify and block known malicious sources and defend against application distributed denial-of-service (DDoS), site scraping, and comment spam.

"We've tried to understand the motives of the attackers, which we believe are financial," says Itsik Mantin, director of security research at Imperva. So as long as they remain profitable, most Web servers are easily exploited.

"Make your Web server less vulnerable by patching it and keeping it up to date. That helps make the attack less profitable or unprofitable for the attackers," he says.

Those are good ideas, but not completely realistic for most organizations, according to Christopher Hadnagy, chief human hacker for consultancy Social-Engineer LLC in Pennsylvania. "That solution is reactive, not proactive -- the only time you can block a phishing site is after it's been labeled a phishing site," Hadnagy says.

"That's the thing about Amazon Web Services … if a phisher's server gets blocked, they burn it and build another one," he explains. "And no one's going to block AWS … you can't block everything."

The best mitigation technique is still training and educating employees to catch and report legitimate phishing, Hadnagy adds. "A proactive approach that teaches people to identify phish is more important." 

Related Content:

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jmyerson
50%
50%
jmyerson,
User Rank: Apprentice
12/9/2016 | 11:32:37 AM
as a service platforms
Phishing as a Service should come under Malware as a service.  Google it to get more information.
How the US Chooses Which Zero-Day Vulnerabilities to Stockpile
Ricardo Arroyo, Senior Technical Product Manager, Watchguard Technologies,  1/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.