According to cybersecurity researchers, this approach to phishing is about a quarter of the cost and twice as profitable as traditional unmanaged -- and labour intensive -- phishing campaigns and follows in the footsteps of other cybercrime-as-a-service campaigns.
The 'Phishing made easy' report from Imperva's Hacker Intelligence Initiative details how a Phishing-as-a-Service (PhaaS) store on the Russian black market offers a "complete solution for the beginner scammer" including databases of emails, templates of phishing scams, and a backend database to store stolen credentials.
While using their PhaaS operation, the user is able to use their account homepage to choose from a variety of potential scam pages -- including social media, banking, retail, telecom, utility, gaming, and dating -- which once chosen, will generate a link to be sent to victims. Any credentials stolen will be stored on the users personal dashboard.
Some types of phishing scams are limited to those who'd purchased VIP account subscriptions. However, at a cost of a maximum of just 270 rubles a month ($4.23), the scammer would be able to make back the cost in no time by stealing and selling profiles.
Indeed, that very much seems to be the case, with cybersecurity researchers investigating the PhaaS operation discovering that its 67,000 users have made off with data from over 750,000 accounts, with an average of around 65,000 stolen per month, or 1,700 per day.
The operation also tailors its criminal services to those who wish to target users in a certain location or of a certain service, allowing wannabe hackers to purchase Simple Mail Transfer Protocol (SMTP) infrastructure to 100,000s of potential victims.
An SMTP server is sold online for between $1.25 and $3 while a list of 100,000 emails can would cost between $2 and $50, depending on the country of the target emails and their "freshness", or the length of time since they were stolen. While this costs users more, it provides them with a potentially more lucrative outcome, both in terms of the data available to steal, and the cost they an sell it on for.
For example, users are able to buy government email lists, which could potentially be used to conduct cyberespionage.
Researchers say a campaign using phishing pages, a spam server, an email list of 100,000 addresses, and access to compromised servers could be carried out for as little as $27, a quarter of the cost it would take to carry out a standard phishing campaign.
"The combination of PhaaS and compromised web servers has significantly lowered the monetary, technological, and time investment needed to conduct a successful phishing campaign," said Amichai Shulman, co-founder and CTO of Imperva.
Using reverse engineering and investigation, researchers claim to have linked this particular PhaaS scheme to an Indonesian hacking group which has previously carried out campaigns involving Outlook web applications, Wells Fargo's online banking, and Adobe PDFs.