Understanding the Phishing Ecosystem: Phishing Lure Distribution

Understanding the Phishing Ecosystem: Phishing Lure Distribution
6 minute read

In order for phishing attacks to be successful, they must first be distributed to potential victims. A phishing link sent to a potential victim is referred to as a phishing lure, as they are designed to “hook” victims into following the link embedded in the lure, and follow the phishing workflow. Depending on the targeted brand and technical capability of the attacker, lures can be distributed in many forms. 

Phishing lures generally request the recipient to take an action. For example, a victim may be informed their account has been locked and they must log in to restore services, creating a sense of urgency that the victim must enter their details quickly in order to resolve the apparent issue.

Understanding Phishing Lure Distribution Types

The two most popular forms of phishing lure distribution are via email and SMS, with email based phishing attacks being the more common of the two forms and cheapest method of lure distribution.This post will cover some of the most used services made available within the phishing ecosystem present on covert channels and dark web networks.

Email Lures

Whilst over time the traditional method of phishing via email has since expanded into other lure distribution mechanisms, phishing campaigns using email lures are still very commonplace. However, as vendors have improved spam and phishing detection capabilities, threat actors have also developed tools and processes to bypass these security measures.

Phishing emails consist of HTML code formatted in such a way that replicates the targeted brand's own email style. Logos, fonts, structure, and image placement are key in making the email look legitimate to the recipient.

In the phishing ecosystem, these types of phishing emails are called “letters.” Many offer services to create these letters via covert channels and dark web forums with each letter, or template, being unique depending on the requirements. Sellers will also tout these templates as “FUD” or “fully undetectable,” meaning that they will bypass most conventional anti-spam or phishing email checks and arrive successfully in the recipient's inbox.

The authors of these templates employ certain techniques in order to increase the likelihood of the email not being blocked or flagged as spam, mainly via “encryption.” These “encrypted letters” are simply obfuscated HTML templates, where the code has been altered in such a way that it still renders correctly. Certain elements in the code are altered and encoded to hide any potential phrases, keywords or code snippets which are commonly blocked at the email perimeter with signature-based detection.

Once the threat actor has obtained their phishing email templates, distribution can begin. Within various channels there are multiple guides and videos made available, showing would-be phishers how they can quickly spin up the required infrastructure on various platform-as-a-service providers, and begin sending emails at scale with available tools.

SMS Lures

Phishing via SMS or “smishing” has gained popularity rapidly over the past few years, as it became standard for many businesses to themselves, utilising SMS to keep customers informed of updates and issues. Threat actors leveraged the adoption of this new method of communication to trick unsuspecting victims, some of whom may be well aware of phishing emails and how to identify such lures.

Within the modern ecosystem of phishing attacks, SMS plays a large role with many groups and individuals operating within covert channels and dark web networks selling services, equipment and data in order to facilitate smishing attacks at scale. This allows low skilled threat actors with few initial resources or skills to distribute phishing lures en masse with minimal effort and cost.

Despite recent arrests, and law enforcement cracking down on groups selling services dedicated to providing smishing related services, there has not been a noticeable decrease in activity. Individuals advertising bulk SMS services and “leads” still permeate the many channels which exist on encrypted messaging platforms, solely for this purpose.

When conducting a phishing campaign, the threat actor typically reaches out to sellers to enlist their services. First, the threat actor needs to obtain a list of mobile telephone numbers to receive the phishing lure. These numbers must be valid, and actively used – as sending messages to numbers which are not in service will not be of any value.

“Leads” are files containing mobile phone numbers, confirmed to be genuine and in use via Home Location Register (HLR) checks, a database containing up-to-date information for every mobile phone subscriber worldwide. A HLR lookup can tell you if a mobile phone number is active, switched on, and which network that number has been assigned to. Sellers will offer leads consisting of numbers from specific geographical locations, carriers, or potentially, mobile numbers associated with specific types of services or accounts.

After obtaining their leads, the next step is to begin sending phishing lures via SMS to the numbers at scale. To do this, the threat actor may pay either a third party to directly send these messages, or use one of many “Bulk SMS” online services dedicated for this purpose.

These providers also provide the ability to spoof the messages sender ID, as such, depending on how the recipient's mobile device groups SMS messages, the phishing lure may end up listed under the legitimate senders message history.

Specialist equipment and software is used to facilitate this activity, which is difficult to proactively prevent, as International Mobile Equipment Identity (IMEI) and mobile numbers can be spoofed and changed at random. Threat actors insert multiple SIM cards which can be easily swapped out if numbers are blocked. Connecting directly to these devices allows them to utilize specialist software to facilitate sending mass SMS phishing messages to specified recipients, based on the “leads” provided from whoever is employing their services.

The campaign begins after the threat actor operating the phishing campaign provides the leads, SMS message content and desired sender ID to their chosen bulk SMS sender.

Messages are sent quickly, as the longer it takes to send lures to all the provided numbers, the chance increases that telecommunications providers will begin receiving reports from recipients, and begin blocking IMEI numbers, slowing down their delivery progress.

Recommendations for Avoiding The Next Phishing Lure

  • Enable 2-factor authentication for all of your organizational accounts.
  • Utilize account permissions best practices such as role-based access control, least privilege, and restricting root/admin permissions.
  • Avoid opening unsolicited attachments and never click suspicious links
  • Do not share passwords, and do not reuse the same password on different websites and applications.
  • If you are alerted or suspect a compromised account, change the password immediately.


While phishing utilizing email-based lures is still a very popular method, phishing via SMS or “smishing” is seeing increased adoption due to several factors: The market for threat actors selling this service is incredibly competitive, driving costs down; creating believable lures requires minimal effort, through the use of URL shortening which is commonplace, even in legitimate SMS messages, and sender ID spoofing; Malicious SMS messages are a lot less likely to be blocked. ZeroFox assesses with a high likelihood that phishing campaigns utilizing SMS lures will continue to increase and see further adoption.

See ZeroFox in action