Endpoint

12/8/2016
01:30 PM
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Phishing Services Reap Twice The Profit For Attackers

Attackers tap the cloud to reduce costs and increase efficiency of their phony and malicious emails, according to a new Imperva study.

Everything else has gone to the cloud, so why not faux emails and their malicious payloads?

That's the upshot of a study released this week that points to cloud-based, "phishing-as-a-service" (PhaaS)," as a more lucrative technique for cybercriminals. It's a way for attackers to reduce the cost to acquire target email addresses and send out malicious content intended to generate more clicks – and it more than doubles the profit of conventional phishing attacks.

"Compromised Web servers used in PhaaS platforms significantly lower the costs of a phishing campaign and help the cybercriminals hide their tracks," security vendor Imperva said in its new report. According to Imperva, after compiling costs for phishing pages, a spam server, a list of 100,000 email addresses, and access to compromised servers, the total cost of a phishing scam comes to about $28 with the cloud-based approach.

Phishing remains a perennially effective way to cadge logons and passwords from hapless users, In recent months, phishing emails have become a way to infect desktops and servers with ransomware, which infosec professionals continually cite as their biggest ongoing concern and defense priority.

PhaaS is re-defining the market and can reduce costs of a standard phishing campaign to a quarter of current prices, Imperva adds. Reduced labor costs means higher profit margins, Imperva adds, and even allows novices to run multiple, simultaneous campaigns. "We can therefore predict a rising demand for PhaaS markets, since it lowers both the cost and the technology barriers," the report said.

Other findings from the research, which was done in conjunction with threat intelligence vendor Intsights, include:

  • Attacks are most successful between 9 am and 12 noon, when 35% of phishing clicks were recorded, suggesting phishers know to catch people early in their work day.  Another spike occurs at 2 pm.
  • Victims are more likely to enter their username and password when opening what they think is a legitimate PDF attachment than they are to click on a URL in the email.
  • 68% of the victims’ credentials hadn't been captured in previously known public breaches.

To mitigate PhaaS, Imperva encourages organizations to blacklist known phishing sites. The vendor also recommends dynamically blocking suspicious patterns included in source code that can point to fraudulent requests, like those based on cross-domain source references, consuming images, fonts, and other resources from an external source.

Imperva, a Web application firewall security company, also suggests a "communal approach" and building a continuously updating reputation database. That’s supposed to make it possible to identify and block known malicious sources and defend against application distributed denial-of-service (DDoS), site scraping, and comment spam.

"We've tried to understand the motives of the attackers, which we believe are financial," says Itsik Mantin, director of security research at Imperva. So as long as they remain profitable, most Web servers are easily exploited.

"Make your Web server less vulnerable by patching it and keeping it up to date. That helps make the attack less profitable or unprofitable for the attackers," he says.

Those are good ideas, but not completely realistic for most organizations, according to Christopher Hadnagy, chief human hacker for consultancy Social-Engineer LLC in Pennsylvania. "That solution is reactive, not proactive -- the only time you can block a phishing site is after it's been labeled a phishing site," Hadnagy says.

"That's the thing about Amazon Web Services … if a phisher's server gets blocked, they burn it and build another one," he explains. "And no one's going to block AWS … you can't block everything."

The best mitigation technique is still training and educating employees to catch and report legitimate phishing, Hadnagy adds. "A proactive approach that teaches people to identify phish is more important." 

Related Content:

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jmyerson
50%
50%
jmyerson,
User Rank: Apprentice
12/9/2016 | 11:32:37 AM
as a service platforms
Phishing as a Service should come under Malware as a service.  Google it to get more information.
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17229
PUBLISHED: 2018-09-19
Exiv2::d2Data in types.cpp in Exiv2 v0.26 allows remote attackers to cause a denial of service (heap-based buffer overflow) via a crafted image file.
CVE-2018-17230
PUBLISHED: 2018-09-19
Exiv2::ul2Data in types.cpp in Exiv2 v0.26 allows remote attackers to cause a denial of service (heap-based buffer overflow) via a crafted image file.
CVE-2018-17231
PUBLISHED: 2018-09-19
** DISPUTED ** Telegram Desktop (aka tdesktop) 1.3.14 might allow attackers to cause a denial of service (assertion failure and application exit) via an "Edit color palette" search that triggers an "index out of range" condition. NOTE: this issue is disputed by multiple third par...
CVE-2018-17228
PUBLISHED: 2018-09-19
nmap4j 1.1.0 allows attackers to execute arbitrary commands via shell metacharacters in an includeHosts call.
CVE-2018-8889
PUBLISHED: 2018-09-19
A directory traversal vulnerability in the Connect Service of the BlackBerry Enterprise Mobility Server (BEMS) 2.8.17.29 and earlier could allow an attacker to retrieve arbitrary files in the context of a BEMS administrator account.