The phishing-as-a-service industry is making easy-to-use phishing attack tools and even full campaigns available at cheap rates. Full-service subscription prices typically vary from $50 to $80 per month, depending on the level of service, and realistic phishing web kits are available to download for as little as $50. Cyren’s research lab has turned up 5,334 new, unique phishing kits deployed to the web so far this year, an indication of the scope and scale of turn-key phishing offerings.
Fig. 1 – Different style scam pages targeting Office 365 credentials on offer
from a Phishing-as-a-Service web site—and with a $10 discount!
Phishing-as-a-Service is embedding evasive phishing attacks
A straight line can be drawn between the availability of such kits and turn-key phishing platform services and the growth in evasive phishing—phishing attacks that use tactics to confound detection by email security systems. Today’s reality is that we are seeing more evasive phishing campaigns in the hands of more attackers at less effort and lower cost than in the past, as technically sophisticated phishing attack developers have adopted a SaaS business model to let even the most amateur criminal wanna-be spoof targeted web sites with a high degree of authenticity and embedded evasive tactics.
87% of kits include evasive phishing techniques
Cyren’s security lab also found that 87 percent of phishing kits sold on the dark web include at least one type of basic evasive phishing technique. As mentioned above, blocking or redirect functions are the most common included tactic, usually implemented via a .htaccess file containing a PHP script. One expectation for the future is that developers will begin to combine many phishing techniques together, as we’ve seen with malware. I recall a single piece of malware that did 26 different checks to try and avoid detection—we expect phishing to continue to evolve in this direction, with layers of detection evasion techniques being used.
Fig. 2– Fake Microsoft log-in page fools even discerning users with
legitimate windows.net domain and legitimate SSL certificate
Methods for the madness
Much like the evolution of evasive malware tactics over the past 30 years, professional phishing developers are utilizing more methods to fool automated defenses, and are including those methods in pre-packaged campaigns and phishing services made widely available on the dark web.
Most Common Evasive Phishing Techniques
Among the growing number of phishing techniques being used today to fool automated email security systems, the most common are:
HTML Character Encoding
In this ruse, some or all of a phishing page’s HTML code is encoded and is displayed normally by web browsers, but security crawlers looking through the code will not be able to read the content, missing keywords associated with phishing like “password” and “credit card” in an example from a spoofed PayPal site.
The technique most regularly incorporated into phishing kits, phishers employ block lists for connections from specific IP addresses and hosts in order to keep security systems and security analysts from evaluating and seeing the true nature of a phishing site, and to prevent access from security bots, crawlers or other user agents that are searching for phishing sites, like the Googlebot, Bingbot, or Yahoo! Slurp. When someone on the block list tries to access the page, they are usually presented with a “404 page not found” message.
URLs in Attachments
A growing phishing trend over the past year has been to not place links in the body of emails, but instead hide them in attachments, in order to make detection more difficult. A typical example might be a simple PDF constructed of images and made to look like a OneDrive document, with a single button that links to a phishing site.
This is not a new technique, but a tried and true method used to lull the user and complicate detection by changing a part of the content on the page of a legitimate website. The unsuspecting user is then taken to the phishing page, outside the legitimate website.
Legitimate Cloud Hosting
This is a tactic that has grown significantly recently. By hosting phishing websites on legitimate cloud services, like Microsoft Azure, phishers are able to present legitimate domains and SSL certificates, lulling even the most attentive user into thinking a given phishing page is trustworthy. Further, many security vendors whitelist certain domains.
This recording provides a summary 5-minute walk-through of evasive phishing tactics and attack examples, including a breakdown of the code behind them.
Phishing-as-a-service is effective
The impact on organizations everywhere is quite clear. According to survey data from Osterman Research, in 2018 44% of organizations reported they suffered at least one successful phishing attack, up from 30% in 2017—a percentage that increases to 54% for organizations using Office 365. In the same survey, these managers estimated that total phishing emails reaching their users were up 25% in volume last year, and that targeted spear-phishing emails were up 23%.