This blog post is an excerpt of our latest report, “Email-based Threat Intelligence: How to Catch a Phish,” researched and written by the team at Securiosis. Download your copy now to learn more about how you can use security intelligence to get quick wins and protect your brand from cybercrime.
Phishing is the front end of a multi-faceted attack, so let’s take a look at the first set of steps in Cloppert’s Kill Chain to show how it applies to phishing. First let’s look at reconnaissance, which starts with picking the brand to target, typically a financial or payment company. APWG statistics (PDF) show that upwards of 65% of phishing targets are financial and payment organizations. Duh. But let’s be clear about why many phishing campaigns target only a few popular brands. Is this just Pareto at work? The real reason is the advent of the phishing kit. Just like malware kits, phishing kits offer a packaged phishing campaign for a very modest price. This takes care of the weaponization step in the kill chain – these kits include everything you need to go phishing, with the exception of domains to host the phishing site. Images, emails, designs, and even a few malware variants are included, which is driving down the average IQ of phishers.
You might think phishing kits need to be constantly updated to keep pace with the constant web site changes undertaken by major consumer brands. Not so much – most consumer victims wouldn’t be able to tell a vintage 2009 Wells Fargo site from the latest and greatest. The images and code used on the phishing site tell a story about the attacker and can provide significant intelligence to disrupt the attack, so we will delve into that later in the paper.
The other key link in the phishing kill chain is delivery. The primary delivery mechanism for phishing is email, which requires attackers to evade spam filters. Without going into the details, we know the attackers are rather sophisticated in how they test both delivery of email and the domain names they drive victims to. Similarly to the way attackers use VirusTotal and other AV test harnesses, phishing professionals focus quite a bit of effort on testing against common anti-spam engines, because increasing their successful delivery rate has a dramatic impact on profitability. At the end of the day phishing, like all email attacks, remains a numbers game.
But email isn’t the only delivery vehicle for phishing attacks. Increasingly we see social networks used to deliver links to phishing sites. This gets even trickier in constrained environments like Twitter with built-in link shorteners, because opaque shortened links can easily lead to phishing sites.
Learn more about how you can identify phishing threats before they hurt your brand in our free report “Email-based Threat Intelligence: How to Catch a Phish.”