A few weeks ago Kaspersky Lab experts published a new study on the evolution of phishing over the past two years.
Here is a summation of what the study found:
“At the same time, the nature of phishing attacks is such that the simplest types can be launched without any major infrastructure investments or in-depth technological research. This situation has led to its own form of “commercialization” of these types of attacks, and phishing is now being almost industrialized, both by cybercriminals with professional technological skills and IT dilettantes.
Overall, the effectiveness of phishing, combined with its profitability for criminals and the simplicity of the process, has led to a steadily rising number of these types of incidents.”
Commercialization suggests that black market dealers offer phishing attack services and even entire phishing campaigns, and there are many ready solutions on the Web.
Actually, until recently there has been a project called Simple Phishing Toolkit, which assisted in arranging all necessary traps with ease. In particular, you could clone any web page and generate phishing emails by just one click.
SPT was created and used as a tool for teaching system administrators and staff of companies: there was no function for storing the inputs of users. So SPT was relatively harmless in itself (the project has now been closed).
But these kinds of examples, like Super Phisher or the “good old” Rock Phish Kit, are just “combat” tools used by attackers.
In the end, it is impossible to ignore Metasploit, which is a legitimate project for testing infrastructure vulnerabilities, though it is often used for phishing and spearphishing attacks, too. Metasploit Framework is an open source project; any new tool deployed in it instantly appears in other toolkits.
Black market dealers (including Russian underground sites) offer help in hacking email accounts on various web services like Mail.ru, Yandex.ru, Rambler.ru, Gmail.com and Yahoo.com. The offered methods include brute force, social engineering, XSS and phishing. The fee is $60 or more per hacked email account depending on the account’s location.
One of the main problems with phishing attacks, in general, is that they are quite easy to launch and very hard to detect and block without special hardware. Moreover, phishing attacks are becoming more sophisticated and high-tech. The “commercial” component of phishing today manifests itself in the fact that the targets of such attacks increasingly become not just individual users, but commercial companies that suffer from a specific and dangerous type of phishing called spearphishing.
Spearphishing is a targeted attack on a company, preceded by gathering information about the potential target and its vulnerabilities. This is done in order to give authenticity to the “bait” – a phishing email or a personal message on the social network.
Here is a simple example. Shortly after the Christmas and New Year holidays, company employees receive a letter titled “Pictures from the New Year corporate party 29.12” from some of their colleagues or supervisors. The text of the message must somehow confirm the source of the letter and the link in it should lead to a site with a URL similar to the address of a popular photosharing site or social network. The party date coincides since the attackers have watched the social network profiles of one or more employees and made sure that the party was on the 29th, not the 30th or the 31st of December, and at the same time, they gathered additional information to make the “bait” appear more trustworthy.
Just one recipient of the message needs to follow the link. It may be a fake social network page that requires authorization, a web page infected with exploits or even have real photographs (albeit not from the corporate party) with malware in their metadata. As a result, attackers get access to the social network profiles of one or more employees and try to use the same passwords on other sites. In the worst case, the whole corporate network gets infected through the computer of a gullible victim and the attackers can do as they please.
As we have repeatedly emphasized, even very experienced users find it difficult to “manually” protect themselves against certain types of phishing. There are too many factors involved. Therefore, a reliable infrastructure protection must include antiphishing tools, which insure protection against excessive credulity.