Criminal groups use the most effective tools for attacks that allow them to quickly and cost-effectively get what they want: infiltrate the system, launch malware, or steal money. According to research, the most common vector of attacks remains phishing - campaigns aimed at people that actively use social engineering.
The demand for phishing has led to the emergence of specialized services offering a full range of services for creating and implementing a fraudulent attack. For relatively little money, the customer receives a study of the target audience, the development of letters taking into account the psychological portrait of potential victims, as well as the infrastructure for the campaign. About how the Phishing-as-a-Service (PhaaS) service is arranged, how much it costs to rent it, and how to protect yourself from fraudsters, says Andrey Zharkevich, editor of the information security company Antifishing. The text was prepared based on the interview results.
How it all began
Phishing-as-a-Service emerged in its infancy 10 years ago as a ready-to-use Login Spoofer 2010 phishing attack kit that was cloud-enabled.
This was not at all what cybercriminals and their clients are using now, but the system allowed the creation of phishing sites and was distributed free of charge. To compensate for the lack of monetization of their tool, developers secretly from gullible script kiddys sent the data that passed through their tool to their server, and then used it for their own purposes.
Later, βhonestβ services appeared that do exactly what they promise to their customers.
PhaaS device
The principle of the division of labor allows you to increase productivity even when it comes to illegal areas of activity. Thanks to PhaaS, criminals do not have to deal with routine tasks, which include:
- Preparatory stage: defining the target audience, building its psychological profile, determining the most effective type of phishing that will be used - messengers, social networks, email or malicious advertising.
- Development of a phishing message. The letter should "hook" the potential victim in order to hit the underlying emotions and disable rational thinking. The design and content of the message should be realistic so that as many of the target audience as possible believe in them.
- Infrastructure creation: a site that mimics the site of a real company and steals customer data, a malicious attachment that loads a "payload" to continue the attack.
- Launching a campaign: sending messages in a chosen way, collecting data, receiving information from a "payload" or infiltrating the target system and encrypting the data. This is the final stage at which the attackers get the result they want.
The rise of phishing as a service has made it as easy to conduct a scam campaign as it is to subscribe to Netflix. Cybercriminal clients get the following features:
- Cost savings. The cost of phishing services is determined by their scale and main task, but in general, it is much cheaper than preparing an attack yourself.
- . 10 ? . ? , .
- . , , .
- . , . , .
Cyren, an information security company, announced the discovery of approximately 5,334 ready-to-use Phishing-as-a-Service products last year . Here is a screenshot of the suggestions of one of the developers of the malicious service.
As you can see, the service is inexpensive, offers a rich set of functions, and even discounts for users. The product looks very professional, no worse than the offers of legal services. There is no hint of unprofessionalism, underground and illegality. The price is affordable for almost any category of users - take it and work.
Fake Microsoft site. uses the microsoft.net domain and a normal SSL certificate. Such deception can mislead even a tech-savvy user.
A phishing campaign from professionals includes sending messages, creating fraudulent resources, and developing link masking methods.
Why phishing is effective
Psychological Component
The main reason why phishing is effective is that it can bypass the most advanced defense systems by influencing people and their basic emotions so that they perform the actions the criminals want. This is clearly demonstrated by successful business correspondence compromise (BEC) campaigns that use nothing but text.
The most sophisticated methods of disguising a phishing link will not work if the text of the message does not make the recipient want to click on it. A technically perfect malicious document can bypass all security systems, but it will not work if the recipient doubts the authenticity of the letter and does not open the attachment.
Thus, the main element of phishing attacks is not only and not so much the technical infrastructure, consisting of fraudulent domains and convincing-looking sites, but professional social engineering that uses the influence on basic emotions and amplifiers in the form of urgency and importance.
After a user, under the influence of the text of a phishing message, has decided to open an attached document or follow a link, it is the turn of the infrastructure phishing toolkit. It is important that the victim, who has "pecked" on the bait, continues to believe that he is doing everything right.
Technical component
The following are usually used by cybercriminals to bypass technical means of protection:
- HTML: HTML- , , .
- : HTML, .
- : , .
- URL- : ,
- (content injection): - , .
- : , .
Today, almost all phishing resources use digital certificates to increase the level of trust in them. According to the Anti-Phishing Working Group (APWG), until two years ago , only half of phishing sites had SSL certificates .
How to protect yourself?
Since phishing attacks are targeted at people, the main method of protection against them will be working with people, which consists of two mandatory parts:
- training employees in safe behavior skills at work and in everyday life;
- practicing practical skills of safe behavior using systems that simulate real attacks.
Trainings for users must be conducted regularly, and all employees of the company, without exception, must take part in them. Traditional training in the form of a film screening or a lecture on the basics of information security is not enough to develop safe work skills.
Knowledge is action, so theory needs to be put into practice, as attackers use techniques that even experienced cybersecurity professionals cannot recognize. Skills training can be organized using various phishing attacks imitating the actions of real cybercriminals.
How much do cybercriminals make?
According to McAfee 's The Hidden Costs of Cybercrime , the global economy loses at least $ 1 trillion annually to hackers, which is more than 1% of global GDP. According to Sberbank, losses of the Russian economy from cybercrime by the end of 2020 may reach 3.5 trillion rubles .
The most profitable industries are:
Kind of crime
|
Annual income
|
Illegal online markets
|
$ 860 billion
|
Trade secret, IP theft
|
$ 500 billion
|
Data Trading | $ 160 billion
|
Crime-ware / CaaS
|
$ 1.6 billion
|
Ransomware
|
$ 1 billion
|
Total | $ 1.5 trillion
|
The cost of various services provided by cybercriminals using the SaaS scheme:
Product or service
|
The cost
|
SMS Spoofing
|
$ 20 / month
|
Custom Spyware
|
$ 200
|
Hacker-for-Hire
|
$ 200 +
|
Malware Exploit Kit
|
$ 200- $ 700
|
Blackhole Exploit Kit
|
$700/ or $1 500/
|
Zero-Day Adobe Exploit
|
$30 000
|
Zero-Day iOS Exploit
|
$250 000
|
The effectiveness of the PhaaS scheme and the increase in the number of phishing campaigns around the world predict further growth in the offer of this cybercriminal service. There is a high likelihood that PhaaS offerings will be augmented with data leaked during 2020, increasing the effectiveness and danger of fraudulent campaigns.
Given that the average amount of damage from a successful phishing attack, according to Group-IB, exceeds RUB 1.5 million , organizations should carefully analyze potential risks and check the resilience of their employees to fraud in order to reduce the likelihood of financial and reputational losses.