As I peruse through the news headlines at the end of each day, and try to figure out what is most relevant to put out on Twitter and Linked In for my readers, there are three common denominators:

*Everyday, there is some data security breach that is occurring, no matter how large or small it is.  In my opinion, it is still probably about the same as 2019;

*Zuckerberg and Facebook are always facing some kind of lawsuit over data privacy;

*Phishing attacks still seem to be the norm.

But, a key difference from this year and 2019 is that as I have mentioned, the Cyberattacker is getting much more sophisticated in how they launch their threat vectors.  But it is important to keep in mind that getting stealthier does not necessarily mean that the Cyberattacker is spending more money in using more advanced tools.

Rather, they are like you and me:  Small business owners, except that their mission statement is a nefarious one.  While we want to help our customers and prospects achieve a better quality of life through the various products and services that we have to offer, the Cyberattacker wants to make their life as painful as possible by stealing their Personal Identifiable Information (PII), and draining them of their financial resources.

In this regard, the Cyberattacker, just like you and me are going to try spend as little as possible in order to get the biggest bank out of their bucks.  So, when we hear in the news about Phishing attacks occurring on a daily basis, we often conjure up the image of a hooded individual sitting in a dark room with computers surrounding him or her. 

But this is far from the truth.  In fact, the perpetrator who is launching these kinds of attacks is probably just the average Joe sitting right next to you at Panera’s or Starbuck’s.

They don’t spend time creating new Phishing techniques, or for that matter, even crafting newer technologies in order to launch their attacks.  Rather, in order to keep their costs down, they make use of already proven tools in order to achieve their specific goals.  How is this possible, you may be asking?  Well, part of this done by making use of the Dark Web, and second, seeing what is available down there for wholesale purchases.

This is further illustrated by the recent study that was conducted by the “Photon Research Team”, from an organization known as Digital Shadows. Their report is entitled “From Minnows to Marlins, the Ecosystem of Phishing”, and it can actually be downloaded at this link:

https://www.digitalshadows.com/blog-and-research/the-ecosystem-of-phishing/

In this market research, it was discovered that a Cyberattacker, through the Dark Web, can easily purchase Phishing based Email templates and cloned websites for as little as $1.88 per page.  When I first read this, I was thinking “Wow, that is really cheap”.  But keep in mind also that in the Dark Web, there are probably hundreds of portals where these illicit Phishing Email templates are bought and sold from, so that is why they are so cheap.

By getting these cloned templates, a Cyberattacker can easily, within a short period of time, create and launch a genuine looking website, but which is really spoofed.  Really in a way, its like using a website creation tool that you can get from an Internet Service Provider at a very cheap price (heck, their prices are even cheaper than the Dark Web ones, one ISP I use charges only $1.00 per month for a website building package).  But getting the templates is just the first step.  The Cyberattacker then has to procure an authentic looking domain name in order to trick a potential victim.

For example, if the Cyberattacker wants to create a spoofed replica of the Walmart online store, he or she can simply register something like wallmart.com.  This is kind of misspelled domain name often goes unnoticed to the untrained eye.  Of course, a Cyberattacker will never register anything that can be noticed over a period of time, like wall-mart.com. 

With the template bundle that the Cyberattacker has purchased, he or she needs to set up Email addresses in order to launch harvesting related attacks in order to hijack the names of contacts and their corresponding Email addresses in order to launch a massive Phishing campaign.

Very often, these bundles from the Dark web come with a set of ten email addresses that can be set up.  These bundles can go for as low as $12.99, up to a high of nearly $20.00.  Once all of this has been put together, the Cyberattacker can then launch their Phishing campaign, targeting hundreds and thousands of unsuspecting victims in just a matter of a few minutes. 

In our example, the Phishing Email could be a fake advertisement special coming from Walmart and directing customers and even potential ones to the bogus domain of wallmart.com.  From here, unfortunately, the victim will think that they are making legitimate purchases, but in the end, they are not.  Once the passwords and credit card info has been submitted, it becomes history from that point onwards.

But even doing all of this can still prove to be a bit much for a Cyberattacker who a novice is still, or simply plain out lazy.  Believe it or not, there is even a solution for this as well.  It is known as “Phishing as a Services”, or “PHaaS” for short.  In this kind of setup, an entire Phishing infrastructure from which to launch very covert and stealthy attacks can be rented for as low as $150 per month.  Never thought things would come to this point LOL.

If a Cyberattacker is savvy enough, he or she will even want to see the metrics that are related to their Phishing campaign.  For example, this can include such items as the following:

*The rate (or speed) of the delivery of the Email messages;

*The Open Rate of the Email;

*The Click Through Rate of the Email.

In fact, there are even spoofed versions of legitimate Email tracking software packages also available on the Dark Web, and one is officially known as the “Atomic Email Tracker”.  Keep in mind that a Cyberattacker will never use a legitimate software application in this regard, in order to keep their tracks covered from law enforcement.

These spoofed packages can be purchased for as little as $2.00 on the Dark web, versus the hundreds of dollars it could cost to get the real thing.

This study also revealed some other interesting statistics:

*Phishing and tactical tutorials/manuals (which is a step by step guide in how to launch a Phishing attack) can be purchased on average for $23.27;

*29% of the spoofed Email templates are targeted towards the retail and E-Commerce storefronts, these can be purchased for $20.33;

*15% of the spoofed Email packages are targeted towards the financial institutions, but these have a higher purchase price of $67.91.

The illustration summarizes this in more detail:

(SOURCE:  https://www.digitalshadows.com/blog-and-research/the-ecosystem-of-phishing/)

My Thoughts On This:

The study provided some quick tips on how a business can help their protect brand from being recreated into a spoofed website:

*Be very careful as to what is posted on the corporate Social Media accounts.  This includes the likes of Facebook, Twitter, LinkedIn, Instagram, Pinterest, etc.  The Cyberattacker of today is harvesting these sites in order to glean as much information and data they can about your company in order to construct a detailed “victim profile”.

*Always keep an eye out for purposely misspelled domain names which cannot be caught easily upon first glance.  So, for example, the IT Security staff at Walmart should be on the lookout for such domain names like wallmart.com, etc. These should be reported as quickly as possible so that these domains can be locked out.

*Deploy other sophisticated Email security measures such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM). More details on how to do this can be seen at the link below:

https://www.digitalshadows.com/blog-and-research/security-practitioners-guide-to-email-spoofing-and-risk-reduction/

Boy, its not enough to just simply train your employees these days.  Now, the IT Security staff has even extra task at their hand to make sure that their corporate brand and identity are not at risk also.  When will this madness ever end? 

Probably never.  Remember, Phishing originated all the way back to the early 90’s.  It is still the most favored threat vector and will be that way for decades to come.