Affordable phishing services help make email fraud the most profitable form of cybercrime

There has never been a better time to invest in email fraud techniques.

Cybercriminal forums are bursting with advertisements from scammers who are selling pre-made tools necessary for carrying out phishing attacks. The average cost of a tutorial that includes instructions on how to carry out a scam is under $25, while templates for malicious websites meant to dupe victims out of their usernames and passwords are typically worth $3 apiece.

The numbers are included in research published Tuesday by Digital Shadows, a threat intelligence firm which monitors illicit web forums for criminal activity. The sales figures, if not always surprising, help illustrate how business email compromise (BEC) attacks, which sometimes begin with compromised accounts, caused more than $1.7 billion in cybercrime-related losses reported to the FBI last year.

“As long as you have the money to buy a template, you don’t need to be a sophisticated threat actor to carry out a successful phishing attack,” researchers wrote. “You don’t even need an in-depth understanding of your target.”

Usually, hackers trying to phish a victims’ credentials send a target an email that appears to be from a legitimate source. The email typically includes a link directing the email recipient to go to another website, where they need to enter their username and password. For scammers, it’s a numbers game: the more victims who fall for the initial email, the more people are likely to provide their password without thinking twice.

By examining advertisements on active and shuttered cybercrime forums, the Photon Research Team at Digital Shadows determined that the average price over the past 2.5 years of a dummy website that targets a banking service was $67.91. That fee is more than three times the $20.43 rate for a phishing page for a retail or e-commerce page. (Cybercriminal forums are notoriously untrustworthy, and it is not clear if the sellers behind these ads actually provided the services they marketed.)

Attackers also are using a range of different formats inside their emails to increase their chances of success. Phishing emails with unusual spacing between words, or including the Unicode format, could be more likely to slip through spam filters. An August 2019 conversation on the Russian cybercriminal forum XSS, for instance, included suggestions to randomize text in messages, and send them from a corporate server, to boost the likelihood of reaching Gmail, Yahoo, iCloud and Outlook users.

Leveraging a trusted corporate email system to send a wave of malicious emails is a real key to success for scammers. BEC attacks often steal from victims by using spoofed email addresses which impersonate others in their organization, though Digital Shadows researchers noted that some fraudsters will just compromise an account that belongs to high-ranking executives.