Imperva, Inc. (NYSE:IMPV), committed to protecting business-critical data and applications in the cloud and on-premises, today released its new Hacker Intelligence Initiative (HII) Report: Phishing made easy: Time to rethink your prevention strategy? In the report, researchers at the Imperva Defense Center expose how cybercriminals are lowering the cost and increasing the effectiveness of phishing by leveraging compromised servers and turnkey phishing services, which are the key drivers of the overall increase in phishing attacks.
The 2016 Verizon Data Breach Investigations Report (DBIR) shows a resurgent pattern of people falling prey to phishing campaigns, with 30 percent of recipients in this year’s dataset opening phishing emails. This is alarming given that phishing is the starting point for most network and data breaches. With this in mind, Imperva researchers deconstructed a phishing campaign initiated in mid-June, 2016. Among the most surprising findings was the low cost of launching a phishing campaign and the high projected return on investment for cybercriminals.
Imperva researchers browsed the darknet marketplace to estimate the cost of phishing campaigns and to get a clear picture of the business model. They observed the ease of purchase and low cost of Phishing-as-a-Service (PhaaS) campaigns. In addition, they saw that hackers were easily able to hijack compromised webservers for their campaign, which further lowered the investment needed. Based on the researchers’ analysis of costs, PhaaS is about a quarter of the cost and two times more profitable than a traditional unmanaged phishing campaign, which is skill and labor intensive. Unfortunately, lowering the costs and technology barriers associated with phishing is sure to lead to an increase in phishing campaigns, and the number of people falling victim to these campaigns.
Following the trail of the hackers, the researchers could garner a surprising amount of data on both the victims and the hackers’ social engineering techniques. Diving into the data on victims, it became clear that people were most likely to take the email phishing bait during the hours of 9 a.m. to noon while at work when they were busy writing and replying to emails. Additionally, victims were more likely to enter their username and password to open an email attachment – in this case an Adobe PDF file – than to click on a URL in the email and blindly log in.
The researchers linked the campaign to an Indonesian hacking group that began its “career” with a series of defacement attacks, a form of electronic graffiti, against targets in the U.S., Australia and Indonesia. In late 2015, the group moved on to financially motivated hacking and have been able to mount and actively maintain three different campaigns involving Outlook Web Applications, Wells Fargo’s Online Banking and an Adobe PDF campaign. This group also has been linked to campaigns that use vulnerability scanners for online shops that use the Magento e-commerce system.
“The combination of PhaaS and compromised web servers has significantly lowered the monetary, technological and time investment needed to conduct a successful phishing campaign,” said Amichai Shulman
, co-founder and CTO of Imperva. “It’s no longer feasible for enterprises to use the client-side approach of endpoint software to fight phishing attempts because people continue to click nefarious links in email. One way to slow the attacks is to choke off easy access to compromised servers, which would make the phishing business model more expensive and lower profitability. Web applications are ubiquitous today, and web application security needs to be widely adopted to stem the growth of phishing and protect valuable data and applications.”