The phishing ecosystem has evolved at a rapid rate. New and emerging tactics and techniques ensure phishing remains a consistent threat to enterprises. It’s time to step back and ensure defenders are well-aligned. This requires a deeper dive into the anatomy of a phishing attack and the ecosystem that supports them in today’s threat landscape.
On the bright side, as these attacks persist, phishing ecosystems also provide context for researchers on successful operations and ways threat actors leverage stolen data from them. In this post, the ZeroFox Threat Research team reviews the evolved phishing ecosystem and details the anatomy of a phishing attack that thrives within.
Identifying the Groundwork Anatomy of a Phishing Attack
The first step in understanding the anatomy of a phishing attack is to identify the groundwork they thrive in. Behind many phishing campaigns is a supply chain designed to facilitate attacks and return a profit for the threat actors perpetrating them. Across dark web marketplaces and covert channels, buyers and sellers trade source code, victim data, access to services and tools disguised as legitimate services, and specialist equipment to scale phishing attacks beyond an individual threat actor’s capability. Luckily, there are indicators within this groundwork that can be monitored before a phishing attack. Two popular methods include phishing kits and cyber puppeteer kits.
Before beginning a phishing attack, the threat actor must obtain or create the code to render the phishing page to the victim. This commonly involves the threat actor obtaining an archive (.zip) containing pre-compiled code and resources, commonly referred to as a phishing “kit.” This kit can be easily deployed to a web host to create a phishing page. They are bought and sold via various channels, with more sophisticated threat actors authoring kits based on demand.ZeroFox has observed several new phishing kit variants produced from popular phishing-kit-as-a-service providers targeting various brands. Such kits are offered by private online stores, where threat actors purchase and register their active deployments. The screenshot below shows a private store selling phishing kits that target multiple brands and platforms.
These kits have varying levels of features, much like a SaaS product. They have gained traction and become popular because they offer a high return on investment for threat actors. Learn more about how to proactively identify a phishing kit in our blog post highlighting key takeaways from ZeroFox Senior Director of Threat Intelligence, Zack Allen’s presentation on the topic.
Cyber puppeteer kits, on the other hand, are more personalized, interactive and successful than the traditional phishing kit. This makes them a substantial threat. A cyber puppeteer kit, also referenced as “live panels” among the threat actors that operate them, is a new breed of phishing kit designed almost exclusively to facilitate phishing attacks against the financial services industry. They are referred to as cyber “puppeteer” kits because the workflows are advanced, very dynamic and require live interaction between the victim and the threat actor. The threat actor is essentially “pulling strings” of the victim, guiding them through a series of pages to unwittingly authorize access to their account.
ZeroFox Senior Threat Researcher Chris Bayliss shared a pre-recorded video showing a kit in action to demonstrate how this interaction occurs between the victim and the attacker. Take a closer look and watch the complete webinar to learn more.
Identifying the Ecosystem of a Phishing Attack
Our threat researchers have noticed that regardless of the threat actor or a group behind the activity, they tend to fall into a few buckets: operator, developer, infrastructure broker and the illicit market.
You could be dealing with any combination of these types of personas, but the basic premise is that they all have the same goal in mind in the phishing game: to make money. Operators within this ecosystem perform spam campaigns in a flywheel-like fashion. The more they complete the flywheel shown below, the faster and more efficient they become.
The campaign is initiated and deployed in outreach (emails, text messages or more) where victims are directed to the phishing website. The kit excels at blocking any type of automated security scanner; meanwhile, victims begin providing data threat actors are seeking. The operator collects the data in several ways and stores the information to retrieve and list for future use.
The Anatomy of Selling Victim Data After a Phishing Attack
Collected data is commonly sold in the form of “fullz,” meaning full credential or credit card information has been obtained from the victim. The method of selling can vary depending on the actor’s capabilities but is generally done either in bulk for a set cost or on a per-account basis. Costs vary based on the value or assets of the compromised account, as shown in the screenshot below. This is standard for accounts with access to monetary funds such as banks. Sellers may also agree to sell access at a reduced cost in exchange for a percentage of the purchaser’s returns from “cashing out” the account.
Phishing Research and Disruption
As mentioned earlier, phishing attacks and kits are designed for ease of use and deployment. It is common for these kits to call assets directly from the targeted brand’s website or content delivery network (CDN). This leaves a trail in assets you control like referrer logs. An effective detection method is to look for these assets being called from URLs structured in specific ways. Reviewing the referrer logs for any calls to leverage an organization’s legitimate logo from URLs ending in that specific path will lead researchers directly to active deployments.
ZeroFox’s internal tools allow the threat research team to collect hundreds of unique phishing kits a day to determine exactly what phishing kit is behind an active phishing page. This insight enables our team to enrich the automated analysis of these domains and pull extra information such as victim data, weaknesses within the code and information on the threat actor themselves. However, solutions such as web beacons can also be leveraged. These can be proactively embedded within designated sites and assets. When a phishing kit pulls from these resources, immediate action can be taken to begin the threat disruption process.
Additionally, Phishpond is a resource the ZeroFox Threat Research team developed to help analyze phishing kits. This tool aims to help defenders and researchers examine phishing operators’ and developers’ tactics, techniques, and procedures (TTPs). The tool is readily available and can be leveraged to find exfiltration endpoints quickly, identify weaknesses in phishing kits and uncover additional intelligence, fingerprint known kits or find new ones.
Preparing for What’s to Come
It is of utmost importance for security teams to follow routine recommendations and strategize regarding additional ways to defend against new security vulnerabilities. However, taking the minimum amount of recommended security precautions is not enough in today’s threat landscape.
As phishing campaigns become more sophisticated and widespread, organizations should continue to take steps to minimize the risk of becoming the next victim of a cyber-attack. Adversaries will continue to evolve their tactics in new, effective ways. As threat actors get creative with technology and attack vectors, phishing supply chain ecosystems can help business leaders and security teams understand the inner workings and the importance of securing applications to prevent phishing attacks.
Discover more in the latest report, Anatomy and Trends of the Evolved Phishing Ecosystem. This timely report sheds more light on the inner workings of kits, evolved lure distribution mechanisms, targeted retail and financial services phishing trends, the evolution of stolen victim data as complete package profiles as well as key recommendations. Find all of our anti-phishing resources in the Anti-Phishing Resource Hub here.