Crims turn to phishing-as-a-service to slash costs and max profits

Prefab phishing campaigns cost less to run and are twice as profitable as traditional phishing attacks, according to a new study by security vendor Imperva.

Cybercriminals are lowering the cost and increasing the effectiveness of email phishing by buying complete packages of compromised servers and all the other components necessary to run a campaign of phishing attacks. These so-called phishing-as-a-service bundles are cheaper than trying to cobble together an email campaign from scratch. That probably seems obvious to you, but it's useful to see some research confirming it.

For one thing, the tactic is driving an across-the-board increase in phishing attacks.

Phishing is the starting point for most network and data breaches. Imperva researchers began their study by going through listings on dark-web marketplaces. This allowed them to estimate the cost of phishing campaigns and gave them a clearer picture of the business model behind these all-too-commonplace scams.

Based on the costs of the studied campaign – which used phishing pages, a spam server, an email list of 100,000 email addresses and access to compromised servers – the overall estimated expenses of an unmanaged phishing scam is about $27.65, Imperva estimates.

In addition, they saw that hackers were easily able to hijack compromised webservers for their campaign, which further lowered up-front costs.

Based on the researchers’ analysis of costs, PhaaS is about a quarter of the cost and two times more profitable than a traditional unmanaged phishing campaign, which tends to be more labour intensive. Lowering the costs and technology barriers associated with phishing will almost certainly lead to an increase in phishing campaigns, and the number of people falling victim to these cybercrime operations.

The ease of purchase and low cost of PhaaS campaigns is highly likely to make frauds that rely on tricking marks into handing over login credentials for sensitive websites even more commonplace, Imperva concludes.

“The combination of PhaaS and compromised web servers has significantly lowered the monetary, technological and time investment needed to conduct a successful phishing campaign,” said Amichai Shulman, cofounder and CTO of Imperva. “It’s no longer feasible for enterprises to use the client-side approach of endpoint software to fight phishing attempts, because people continue to click nefarious links in email. One way to slow the attacks is to choke off easy access to compromised servers, which would make the phishing business model more expensive and lower profitability.”

Imperva researchers deconstructed a phishing campaign initiated in mid-June, 2016. The researchers found that people are most likely to take the email phishing bait while at work, rather than at home. Around a third (35 per cent) of successful phishing attacks were activated between 0900 and noon while victims were at work, busy writing and replying to emails. The researchers also found that victims were more likely to enter their username and password to open an email attachment – in this case an Adobe PDF file – than to click on a URL in the email before filling in a web form with their login credentials.

Imperva researchers were able to link the campaign to an Indonesian hacking group that began its “career” with a series of web defacement attacks against targets in the US, Australia and Indonesia. In late 2015, the group graduated to money-making hack attacks against online shops that use the Magento e‑commerce system.

Two-thirds (68 per cent) of the victim credentials harvested by the group did not exist in previously known public breaches (one-third had been breached in the past).

Imperva’s latest Hacker Intelligence Initiative report, Phishing made easy: Time to rethink your prevention strategy?, can be found here [PDF]. An Infographic summarising the main findings of the study is here [PDF]. ®