Modern popular culture has a habit of depicting cybercriminals as being genius masterminds with an extensive list of computing skills at their disposal. While these individuals do exist, the image does not truthfully represent the majority behind some of today’s cyber attacks.
Phishing attacks have long been one of the most common threat vectors, ranging from the typical blanket email campaign to more targeted and sophisticated methods, like BEC attacks. As one of the more straightforward cyber threats, we’re seeing more examples of phishing being used in some of the biggest attacks today. And now, thanks to the availability of phishing kits and easy-to-use website hosting platforms, pretty much anyone can launch a career in cybercrime as a phisher if they find the right video tutorial.
How has phishing evolved?
As technology habits have progressed, so have the phishing tactics. The latest trend we’ve seen catch on is a rise in phishing kits that allow cyber attackers to focus specifically on mobile devices. The continuation of remote and hybrid working models makes mobile devices far more lucrative targets for criminals, as disbanded workforces are no longer directly under the watchful eyes of IT teams. Thanks to shadow IT and limited device visibility, it is far harder for security teams to monitor and protect all relevant mobile devices.
Additionally, we’re noticing that phishing campaigns are less likely to be driven by the theft of random credentials, and are instead targeting far more valuable data, including bank details and social security numbers. Previously, harvesting basic credentials like email addresses and passwords would give criminals the resources to carry out further phishing campaigns for the bigger prizes. However, now, we are seeing more adversaries trying to cut out the first stage to instead make a beeline for the pot of gold. For example, our latest research has shown a 300 per cent increase in phishing sites targeting Chase Bank account holders. Each fraudulent site behind the URL in the phishing email was created using a phishing kit.
While banking and financial data has always been a main target for criminals, there has recently been a significant shift towards cryptocurrency and crypto-wallets. Once a threat actor breaches a crypto account, they’re free to transfer the contents without much interference or risk of getting caught. Multifactor authentication (MFA) and other layers of defence make it harder for attackers to steal company assets, but criminals are constantly finding new methods to bypass security.
Giving attackers a boost
As well as being deployed as standalone attacks, phishing is also used at the start of larger, more sophisticated campaigns. By targeting employees – who are considered to be the weakest link in any cybersecurity program – phishers can gain entry-level access to the company network and paint a picture of the entire infrastructure. This intel is extremely valuable for groups looking to launch invasive ransomware attacks as a secondary campaign.
Some of the most devastating attacks in recent months, including the SolarWinds compromise, have all started with a simple phishing attack. And with the necessary resources and step-by-step instructions on how to launch a phishing attack readily available on the internet via phishing kits, we can expect to see the numbers continue to rise.
So, what is a phishing kit?
In its basic form, a phishing kit is an all-encompassing package for setting up and deploying a phishing attack. Very few people realise how accessible these ‘starter packs’ are – you definitely wouldn’t need to venture as far as the dark web before you stumble across one. According to our research, one of the most used kits is the Chase XBALTI, and the primary targets are Chase and Amazon account holders.
The kit includes code for setting up the phishing site, which is easily uploaded once a domain has been acquired. An individual would simply then have to configure the phishing site to direct stolen credentials to a separate location and get sending. There are usually large sums of emails available online, or sometimes phishers will purchase specific datasets from the dark web if they wish for the phishing campaign to be more targeted. There are even services that will do the sending for you, so once it’s deployed, it can be left to run. Even if one of these phishing sites is discovered, taking it down is not always a straightforward task.
To align with the latest trends in phishing, online kits are now far more sophisticated – but still as easy to use – meaning they can now be deployed to collect financial details, social security numbers, home addresses and other personal information. They’ve even been equipped to bypass common security measures so that they can now capture one-time use codes for MFA. As part of their appeal, our research has also demonstrated these phishing kits’ evasion capabilities. In some instances, attackers use free dynamic domain name services to point a URL to the server of their choice. This feature allows users to change the destination of the URL should the phishing kit be discovered and shut down.
Some online stores are selling these kits for a few hundred dollars and phishing sites can be set up in an hour or so. Crime has never been so affordable and accessible.
The rules to live by when fighting phishing
The simple and accessible nature of phishing means it will remain a popular threat vector for attackers in years to come. With tools out there to make anyone a phisher, businesses need to do the groundwork now and tighten all the hatches before they become overwhelmed. There are three security policies that businesses should adhere to as standard practice: never re-use passwords, always use MFA where possible, and never underestimate the power of common sense.
It is also important to introduce solutions that are able to analyse email messages to determine if they are malicious or not. Organisations should look to incorporate and blend the latest best practices to prevent phishing attacks with traditional email filters, specialised detection frameworks and user training. The use of email filters will provide an organisation with high-speed detection of spam, malware, and well-known phishing URLs, while specialised detection works at the application layer to learn and identify unique and targeted threats using things like machine learning, and natural language processing and behaviour analytics. User training adds another layer of defence by helping to address suspicious messages that are neither deterministically clean nor malicious. By combining these three best practices, organisations will find themselves at better stead to prevent themselves from being the victim of phishing attacks.
Human intuition is one of the most powerful tools we have against cyber threats. If something seems suspicious, then it probably is. Criminals are experts in social engineering and deception techniques so it’s vital that we don’t assume something is legitimate if we have even the slightest of doubts. For example, we know that banks will not send SMS text messages requesting further personal information, so immediately these should be treated as suspicious. If in doubt, it’s always worth contacting the addressed company to confirm before acting upon any requests.
The accessibility of phishing kits will keep businesses on their toes. Knowing that any individual could become an amateur phisher is a daunting thought. While they may not have the advanced skills to break through sophisticated defences, if enough of them make you their target, you can be sure they’ll find an overlooked weakness.