Occasionally all of us stumble upon some news from the information security industry, often covering consequences of recent cyber attacks or data breaches that occurred as a result.
This information is forming our understanding of the security landscape, but it isn’t systematic and mostly resembles a set of do’s and don’ts that we might keep in mind, for a while. Not everyone has time to research and ingest relevant content on a regular basis.
Consequently, threat actors and coverage of their malicious activity is regarded as “something that my AV or IT guy should deal with.” This approach is naive and there are plenty of individuals and organizations that have learned it the hard way through breaches and data loss. Researchers and security awareness pros agree that security habits and awareness training must be an ongoing and collective task for all organizations.
Awareness training should provide users with a 360-degree view of the modern security landscape both from the security side and that of the threat actors. In a way, the user is the prize in a battle of 2 rival ecosystems. However, users who understand the risks and are informed about the underlying connections between different types of malware and possible attack vectors are less likely to be hacked.
In order to know the enemy better, today we will discuss email phishing business and social engineering attacks popular among hackers for stealing credentials or spreading malware. We will also point out the details of cybercrime economy, trade and new business models among hackers operating on the Dark Web.
Why Is Phishing Security Important?
Phishing goes hand in hand with ransomware and other malware often serving as the “delivery method”. According to Cybersecurity Ventures, ransomware damage costs for 2017 were estimated at $5 billion in May 2017. However, long-term follow-up estimates published in November that year set the bar much higher. Global damages are predicted to exceed $11.5 billion annually, with businesses attacked nearly every 14 seconds by the end of 2019. The threat landscape is expanding, phishing business is prosperous and more adversaries are joining the hunt for money and sensitive data. There are no signs of it stopping in the foreseeable future, so staying informed is crucial to every internet user.
Furthermore, according to PhishLab’s 2017 Phishing Trends and Intelligence, threat actors have been adjusting the way of monetizing attacks, shifting from simply using a victim’s credentials to immediately steal the money to reusing credentials in hopes of gaining access to more accounts.
Monetization types are also diversifying.
Now it is increasingly common to sell massive sets of credentials on Dark Web marketplaces. In line with the changing approach, cyber crooks have become more focused on obtaining victim’s’ phone numbers due to growing usage of 2-factor authentication.
What Is the State of the Phishing Threats?
Verizon Data Breach Investigations 2017 report shows that phishing and social engineering techniques represented “98% of incidents and breaches that involved social action.” A whopping 95% of phishing attacks leading up to a breach involved malware installation. In general, in 66% of cases, malware installation occurs via email as attachments. The findings are based on a data set of 1616 incidents and 828 confirmed disclosures.
Email is the primary channel for malware delivery. Source: 2017 Verizon Data Breach Investigations Report
Interestingly, according to data from organizations contributing to reports, 7.3% of more than 3 million unique users have been lured into clicking malicious link or opening an attachment. Moreover, 15% of those who fell victim once, were tricked for the 2nd time. 3% clicked more than twice. A small amount of users clicked more than 3 times. These stats shouldn’t be attributed solely to users’ gullibility, because threat actors are constantly improving the quality of their spoof emails.
What is Driving Phishing Attackers?
he findings on motivation of threat actors listed in Verizon DBIR are in line with observations made by other researchers: 66% of cases involving social action are financially motivated, with espionage occupying the second place with 33% respectively. Other reasons adversaries engage in phishing include fun, ideology (hacktivism), and holding a grudge (ex-employees).
Motivation behind malware distribution and attacks according to 2017 Verizon Data Breach Investigation Report
The Dark Web and the Shadow Economy of Phishing Business
From an adversary prospective, phishing is an effective tool, powering their lucrative business. As already mentioned, they monetize in several ways, some of them staying invisible to general public.
While most of us are using the visible web (the part of internet indexed by search engines ) or the Deep Web (the part of the web not indexed by search engines like your email account), adversary dealings, like selling victims’ personal data occur in the “walled off” segment of the internet, known as the Dark Web.
One of the motivators for using the Dark Web is that it’s not accessible without special software. Its decentralization and greater anonymity of communication protocols are among other reasons why government agencies and and law enforcement are not able to regulate it stringently, with the exceptions of occasional takedowns of separate Dark Web websites. Still it doesn’t mean that Dark web is 100% anonymous and not monitored at all — buying a bomb on one of the websites can get you jailed.
There is no lack of marketplaces where various illegal goods are sold, ranging from drugs to credit card credentials and malware. Payments are processed in cryptocurrency (Bitcoin, Monero, etc.) which contributes to even greater anonymity, if certain precautions are met. Due to this, hacking communities are quite active on the Dark Web and one can find a variety of services for sale and hackers for hire.
It Is Easier Than Ever to Start a Phishing Business
A big part of the Dark Web economy that supplies security researchers with new threats to work on every day is based on evolution of the malware business model. Nowadays coding skills are not a prerequisite for someone who decides to make money from distributing malware or enter the phishing business “niche”. The entry-level is considerably lower due to new types of offers promoted on the Dark Web and on some hacking forums on the visible web. They are known as Ransomware as a Service (RaaS) or Phishing as a Service (PhaaS). The business model is borrowed from legitimate software vendors.
Basically, you no longer have to write malicious code yourself. You can buy it!
Highly skilled malware authors do the hard work of creating a RaaS or PhaaS software that they offer to less experienced criminals. In some cases, they may go even further to develop a sort of affiliate platform that combines a stats dashboard and control panel their customers can use.
Cyber crime is becoming more organized and structured, just like their opposition in infosec and AV industry. Adversaries implement organization models where each participant takes on certain set of tasks, from development of specific hacking tools, to marketing and distribution via numerous Dark web outlets. Hackers offer full scale services with support and infrastructure for rent, acting very much like software as a service (SaaS) companies.
Virtually anyone who’s able to get on the Dark Web, can pay an RaaS author to start an extortion campaign of their own. RaaS distribution may be taken care of by purchasing a PhaaS product and a database of email addresses to send to. Threat authors use different payment models,from one-time payment to fixed revenue share percentage for every victim paying ransom. Some RaaS “products” are built on the basis of certain ransomware families and their further customization evokes more new strains that circulate on the web.
Let’s take a glimpse at some of the Dark Web marketplaces that offer hacking tools and services.
Dark web marketplaces offer guides on phishing business, malware distribution as well as stolen personal data.
There is a number of marketplaces selling hacking tutorials and various types of personal data such as emails, credit card info, social security numbers etc.
Sellers have ratings and buyers are able to leave reviews based on their experience, much like on legit websites across the visible web. Dark web actors embrace customer service practices by offering “satisfaction guarantee” policies and “support.” However, fraud is widespread on Dark web, it’s scammers trading with scammers, after all.
This RaaS (Ransomware as a service website), called “Ranion” has been around for a while, offering configured and compiled ransomware tool along with Dark web based Command and Control Dashboard. It allows threat actors to operate the extortion business and collect ransom covertly . Ransomware authors are offering several packages with varying set of features, depending on price. They boast using unbreakable encryption too. Notice the phony disclaimer saying: “Our products are for educational purposes only” — fairly weak attempt at humor.
Ranion RaaS main page
Ranion Ransomware FAQ provides information for potential buyers, including the type of files it encrypts, support and paid addons. Ironically, RaaS authors even promise to take care of buyers’ privacy with their no-logging server policy.
Ranion RaaS FAQ: support, privacy and other info to convince “potential customers”
Finally, the most interesting section of Ranion RaaS website, Reviews. Site owners proudly link to legitimate security website Bleepingcomputer that posted an article about their “product”.
Ranion RaaS Reviews section
One more RaaS listing on one of the hacking forums I came across on Dark web. It is called “Princess” and has detection bypass and evasion functionality built into it. Crooks also claim that no free decryptor exists and won’t exist in future.
Conditions listed in “Partnership” section resemble those of legitimate software vendors advertising their offer to affiliates on ad network, including commission structure. They propose 60% Revenue share deal between the criminal group and ransomware distributors, which is a pretty standard deal. Other traditional services that affiliates normally request from the program like partner dashboard,support and product localization are also provided.
Princess RaaS authors recruiting distribution partners on Dark web hacking forum
Dark web is also a place where less ethical hackers offer their services, here’s an example for you to take a look at.
Rent-A-Hacker website contains “product packages” and hacker’s “CV”
A Final Word on Phishing Business
Email is one of the handiest inventions that accompanied the Internet, but at the same time it’s an Achilles heel of personal online security and IT infrastructure. Changes in the cybercrime ecosystem and growing availability of on-demand malware require new approaches from users and organizations.
The old paradigm, which relied on endpoint protection and signature-based detections, isn’t viable in the present day threat landscape. Cyber crooks constantly innovate and a failure to keep up will most likely result in financial losses or data breaches. Modern enterprise security should be aimed at prevention, proactive monitoring and sandboxing techniques deployed across the vast infrastructure. An appropriate level of automation is crucial in order for IT teams to maintain control,visibility and take full advantage of email security frameworks.
Companies investing in continuous employee training including simulated phishing attacks, are more likely to avoid the consequences of network security attacks and identify employees whose safety skills may need improvement.