Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

12/8/2016
01:30 PM
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Phishing Services Reap Twice The Profit For Attackers

Attackers tap the cloud to reduce costs and increase efficiency of their phony and malicious emails, according to a new Imperva study.

Everything else has gone to the cloud, so why not faux emails and their malicious payloads?

That's the upshot of a study released this week that points to cloud-based, "phishing-as-a-service" (PhaaS)," as a more lucrative technique for cybercriminals. It's a way for attackers to reduce the cost to acquire target email addresses and send out malicious content intended to generate more clicks – and it more than doubles the profit of conventional phishing attacks.

"Compromised Web servers used in PhaaS platforms significantly lower the costs of a phishing campaign and help the cybercriminals hide their tracks," security vendor Imperva said in its new report. According to Imperva, after compiling costs for phishing pages, a spam server, a list of 100,000 email addresses, and access to compromised servers, the total cost of a phishing scam comes to about $28 with the cloud-based approach.

Phishing remains a perennially effective way to cadge logons and passwords from hapless users, In recent months, phishing emails have become a way to infect desktops and servers with ransomware, which infosec professionals continually cite as their biggest ongoing concern and defense priority.

PhaaS is re-defining the market and can reduce costs of a standard phishing campaign to a quarter of current prices, Imperva adds. Reduced labor costs means higher profit margins, Imperva adds, and even allows novices to run multiple, simultaneous campaigns. "We can therefore predict a rising demand for PhaaS markets, since it lowers both the cost and the technology barriers," the report said.

Other findings from the research, which was done in conjunction with threat intelligence vendor Intsights, include:

  • Attacks are most successful between 9 am and 12 noon, when 35% of phishing clicks were recorded, suggesting phishers know to catch people early in their work day.  Another spike occurs at 2 pm.
  • Victims are more likely to enter their username and password when opening what they think is a legitimate PDF attachment than they are to click on a URL in the email.
  • 68% of the victims’ credentials hadn't been captured in previously known public breaches.

To mitigate PhaaS, Imperva encourages organizations to blacklist known phishing sites. The vendor also recommends dynamically blocking suspicious patterns included in source code that can point to fraudulent requests, like those based on cross-domain source references, consuming images, fonts, and other resources from an external source.

Imperva, a Web application firewall security company, also suggests a "communal approach" and building a continuously updating reputation database. That’s supposed to make it possible to identify and block known malicious sources and defend against application distributed denial-of-service (DDoS), site scraping, and comment spam.

"We've tried to understand the motives of the attackers, which we believe are financial," says Itsik Mantin, director of security research at Imperva. So as long as they remain profitable, most Web servers are easily exploited.

"Make your Web server less vulnerable by patching it and keeping it up to date. That helps make the attack less profitable or unprofitable for the attackers," he says.

Those are good ideas, but not completely realistic for most organizations, according to Christopher Hadnagy, chief human hacker for consultancy Social-Engineer LLC in Pennsylvania. "That solution is reactive, not proactive -- the only time you can block a phishing site is after it's been labeled a phishing site," Hadnagy says.

"That's the thing about Amazon Web Services … if a phisher's server gets blocked, they burn it and build another one," he explains. "And no one's going to block AWS … you can't block everything."

The best mitigation technique is still training and educating employees to catch and report legitimate phishing, Hadnagy adds. "A proactive approach that teaches people to identify phish is more important." 

Related Content:

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jmyerson
50%
50%
jmyerson,
User Rank: Apprentice
12/9/2016 | 11:32:37 AM
as a service platforms
Phishing as a Service should come under Malware as a service.  Google it to get more information.
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24368
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.