Phishing is a business, and business is booming. The recent Verizon Data Breach Investigations Report found phishing to account for over 90 percent of security incidents and breaches. In fact, Duo research conducted on 150,000 users in the past year shows that it only takes 12 minutes from the start of a phishing campaign for someone to be compromised.
Attackers are always on the lookout for ways to increase their return on investment and, as a result, often reuse phishing sites across multiple campaigns by bundling site resources into a phishing kit. This kit is then uploaded to a (typically compromised) server and phishing emails are sent which direct people back to the new phishing site. Duo's own analysis has uncovered how cyber-criminals are sometimes lazy, leaving the phishing kits behind for anyone to download.
So how do these phishing kits work? First, the legitimate website is cloned and the login page changed to quietly direct users to a credential-stealing script. These modified files are then bundled into a zip file – which hackers can then reuse – and uploaded to a compromised website where phishing emails are sent with links pointing to the site, encouraging users to login. Once the credentials are stolen, victims are redirected back to the legitimate site where they assume they simply entered their details incorrectly. The ability to reuse these kits is beneficial for attackers as phishing sites are often quickly shut down. Therefore, this mass credential phishing is all about quantity, not quality. The availability of these kits also means that even those with fewer technical skills can undertake phishing campaigns.
Phishing kit reuse is rife, with Duo research showing that 27 percent of 3,200 kits were found on more than one website host, with two kits found on more than 30. It could be said that this is a low figure compared to initial expectations, but it should be noted that for the study mentioned above, phishing kits were only monitored for 30 days whereas a longer time period could identify more instances of reuse. Additionally, Duo measured unique kits based on the cryptographic hash of the phishing kit's content. This means that some of the kits may have used the same files with only minor alterations, but this would change the hash, making the kit seem unique.
Baiting the hook
Attackers know that intelligence services such as Phishtank, OpenPhish and countless other security companies are dedicated to removing phishing sites quickly. Thus, to keep their phishing sites active, attackers must take preventive measures. For example, cyber-criminals will often add a configuration file called an .htaccess file to their phishing kits which blocks connections from the IP addresses used by threat intelligence services. Attackers will also sell, trade or give away their phishing kits to other criminals. However, more enterprising attackers take this opportunity to hide backdoors in the kits, giving themselves additional access to compromised hosts.
And what of these hosts? Research has found that WordPress is a common target, though the problem is more widespread. Any unpatched, out-of-date content management system is a potential opportunity for an attacker. This is why it is critical to keep systems and software up-to-date.
Another issue to consider is that sites hosting phishing kits are increasingly serving their content over HTTPS, meaning we may need to reconsider how much emphasis we as users place on the “secure” indicator within a website browser.
The phishing frenzy
It's clear the phishing economy is on an upward trajectory, with recent research reporting a 600 percent surge in the number of malicious URL emails in Q3 2017. However, there are policies and procedures which can be implemented to help prevent users from falling victim to a phishing attack:
● Enable two-factor authentication for every login. Even if online criminals manage to steal usernames and passwords, they can't log into any accounts without possession of the necessary mobile devices.
● Assess risks by conducting phishing simulations. Evaluate your company's likelihood of being phished by using a phishing simulator tool. This data can then be used to educate users and employees, as well as helping make security budget decisions.
● Always stay vigilant. Watch for typos or other signs the email may not be legitimate, especially if you weren't expecting the email. Before entering your credentials, check to make sure the web address you're on is the site you expect.
● Use a password manager. Password managers are a great way to not only generate unique, strong passwords, but they also work to make sure you are on the site you expect to log in to before supplying your credentials.
● Identify and update software on devices. Exploit kits and malware downloaders prey on out-of-date software to compromise them. Identify any old software on corporate devices, and encourage employees to update personal devices, to reduce the risk of being compromised.
By better understanding how cyber-criminals are operating, and taking the necessary precautions to ensure employees are aware how to identify suspicious emails, organisations are better placed to mitigate the risks posed by these malicious activities.
Contributed by Jordan Wright, senior R&D engineer, Duo Security
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.