Phishing and its Impact on Businesses and Employees

Despite the many tools in place to prevent them, phishing attacks continue to be a menace to employees and businesses. In Q3 of 2016, the Anti-Phishing Working Group detected at least 340 hijacked brands per month. In the last month of that same period, they also found 104,973 unique phishing sites. In order to understand the implications of these statistics, one needs to gain a better understanding of phishing attacks, the motivations behind them, why they succeed, and their impact to business.

In a nutshell, a phishing attack is a fraudulent message, usually in the form of an email, which lures users into clicking a link. That link in turn either leads the victim to a malicious website or initiates a malicious download.


Anatomy of a Phishing Attack

Phishing email is a form of spam email; it’s an undesirable message sent in bulk to a large number of recipients. While traditional spam emails are mostly part of advertising campaigns, phishing emails are more sinister. The main goal of a phishing email is usually to obtain confidential information from the email’s recipient.

In essence, the following is what takes place during a phishing attack:

  1. First, the phishing email is sent to a large collection of email addresses. These days, the mass mailings are launched from zombie computers or devices that belong to botnets.
  2. If the phishing email was well crafted, the victim would be compelled to either click on a link found in the email body, or download an attachment.
  3. If the victim clicks on the link, he or she will likely be redirected to a landing page closely resembling a legitimate webpage of a popular and trusted company. Most of the organizations impersonated are banks, credit card companies, online payment service providers (e.g. PayPal), and even social networking sites. The use of a reputable brand name increases the probability of the victim performing the desired action (e.g. fill out a form or download a file).
  4. If the victim downloads an email attachment, he or she will likely end up installing a trojan that might contain a key logger, botnet client, ransomware, or just about any other type of malware.


Why Cyber Criminals Phish

The goal of most phishing attacks is to acquire what is known as personally identifiable information, or PII. This information includes data that, either individually or combined with other relevant data, can be used to identify an individual. Examples of this kind of data would include social security numbers, bank account numbers, credit card numbers, medical records, educational records, mailing addresses, biometric records, and so on.

Stolen PII is often sold in shady online marketplaces, where they will then be purchased by identity thieves. These cybercriminals then use the information to carry out credit card or banking fraud and other fraudulent transactions. The cost of a single piece of stolen personal information can range from a few dollars to thousands of dollars, depending on the specific information that has been obtained. For example, a random credit card number can cost $5; a medical record, $50; and a bank account credential, $1,000.

Looking at the total value of PII belonging to thousands of individuals makes it is easy to understand why phishing can be so lucrative.


How Phishing Attacks Succeed

Phishing relies on the time-tested art of deception. These days, cyber security experts and cyber criminals have dubbed these deceptive acts “social engineering.” Social engineering plays on people’s emotions, curiosity, fear, or plain gullibility.

A simplified example of what one might read in a phishing email would be as follows:

Congratulations! You just won in the 2017 Online Lottery. Please claim your prize by clicking the link below.”

Most people get excited when they are told they won something – even if they never bought a ticket for any “2017 Online Lottery” in the first place.

Some phishing emails play on fear and take advantage of recent events, for example, a massive data breach. The following is what one might receive in the wake of a PayPal data breach:


“Dear [insert your name here]


Earlier today, PayPal’s databases were hacked and several user accounts were compromised. We regret to inform you that your account was one of them. While no funds have been stolen yet, we can confirm that the hackers were able to acquire your login credentials. To prevent any financial loss, you need to reset your password immediately. Click the link below and follow the instructions to carry out the reset.”


The message above can be quite alarming and can spur a sense of urgency. For this reason, some recipients of this email would no longer stop to think and just do as instructed.

These deceptive messages are made more believable with the advent of HTML-based emails. Unlike plain text emails, HTML-based emails can be spruced up with graphics and formatted text. Hence, it’s easier to make them resemble official communications from a trusted or reputable source – like a bank or, in the example above, Paypal.

When people are faced with a well-written and professionally formatted email bearing a trusted logo, most of them won’t bother to verify its authenticity.


Increasing Email Open Rates and Clicks Through Spear Phishing

Traditionally, phishing emails followed a spray and pray tactic. Attackers typically sent out large volumes of emails without any regard as to who would end up receiving them. For example, of the thousands who would receive the “Paypal” email, only a few may actually own a PayPal account. As a result, the majority of those who would receive the email would mark it as spam.

To increase the efficiency of their attacks, phishers started resorting to more sophisticated techniques. One of these techniques is known as spear phishing. This is a more targeted phishing attack aimed at a specific individual or group of people.

Spear phishing emails contain elements closely associated with the target. For example, a spear phishing email may mention and may appear to originate from the target’s boss, their organization’s network administrator, or HR manager. In addition, it may follow the company’s standard email format and include the corporate letterhead.

Because spear phishing emails are so customized, their open rates and click-through rates are quite high. The people who conduct spear phishing attacks usually have even more sinister intentions in mind than just stealing PII.

Many of these attackers are often after high value targets buried deep inside the organization. Hence, the main purpose of the phishing attack might be to acquire administrative credentials for privilege escalation or to infiltrate the network in preparation for an APT (advanced persistent threat) campaign.

Spear phishing emails are typically laced with malicious attachments that often take the form of corporate files like PowerPoint presentations, reports, spreadsheets, resumes, and business documents. While these files appear as common file formats like .PDFs, .PPTs, .DOCXs, and .XLSs, they are actually executable (.EXE) files containing trojans that may even connect to remote command-and-control (C&C) servers.


Business Impact

Although phishing attacks are primarily aimed at individuals (more specifically, their PII), they can have other unintended, but nevertheless unavoidable casualties as well.

When phishers launch an attack, they usually need to hijack a legitimate brand. As discussed earlier, attackers typically set up a malicious landing page that closely resembles the web page of a trusted brand. This makes it easier to convince victims into responding to a call-to-action, such as filling out a form or downloading something.

These brands become casualties once the phishing campaign is discovered and later disclosed in news outlets or social media. This type of publicity can hurt the brand’s image, leaving the impression that its web pages are unsafe. Some customers might end up avoiding the brand’s legitimate websites for fear of accidentally landing on a fake web page.

In most cases, the people who do land on a hijacked brand’s website are likely customers of that organization. These people can lose confidence in the brand and may ultimately drop it for a competitor. Worse, if they actually become victims (i.e. their personal data get stolen), they might even file a lawsuit, or, if the data is covered by data protection regulations, the company can be levied fines for noncompliance.


How to Defend a Business against Phishing Attacks

There are a couple of ways to thwart phishing attacks, the first of which being user education. This method of avoidance is primarily designed to counter the social engineering aspect of the attack. Because users are the recipients of phishing emails, your employees must be trained to determine when an email can be considered suspicious.


Some indicators include:

  • Requests for personal information
  • Deceptive domain names (e.g. is certainly not a legitimate PayPal domain)
  • Generic salutations (e.g. Dear Sir instead of Dear [your name])
  • URLs that don’t match what is being displayed on the link (You can verify this by hovering your mouse on the link and inspecting the link that appears on your browser’s bar)
  • Emails with executable file attachments (the common file types include exe, com, jar, msi, bat, and scr, but there are many others)
  • Any email attachment that wasn’t expected (you can always verify with the sender)
  • Messages that elicit heightened emotions, whether of happiness, fear, pity, etc.
  • A sender who’s not familiar to you


Although user education is an important component in countering phishing attacks, it is by no means ironclad. Employees can forget or even disregard warning signs; hence, one will need to augment user education with something immune to human shortcomings.

Learn how our DNS Security Solutions can help detect and block fraudulent links, phishing campaigns, rogue antivirus downloads, and forced redirection to malicious domains.

*APWG Phishing Activity Trends Report  – 3rd Quarter 2016

What is an exploit kit?

Attackers who want to infect systems with malware usually need a vehicle to reach as many infections as possible. These days, that vehicle is most often an exploit kit. In this post, we take a closer look at exploit kits, where they fit in the cybercrime industry, what’s inside a typical toolkit, and most importantly, how they work.


A peek into the exploit kit industry

Before we talk about what an exploit kit (EK) is and how it works, let’s first discuss the financial incentive for developing these kits. What drives people to create exploit kits?

Contrary to what most people think, not everyone who commits cyber crime has the technical skills to “hack into a system”. There are those who carry out cyber attacks by simply relying on ready-made tools they purchased in black hat marketplaces on the dark web.

Let’s say that Joe reads this article and learns that ransomware campaigns can be quite lucrative. Being morally flexible, Joe decides to launch a ransomware campaign. Joe then realizes that ransom malware by itself is not enough. He still needs to deliver the malware onto a victim’s system. One way to do that is by taking advantage of certain vulnerabilities in the system. Luckily, people have already written programs for doing just that.

These tiny programs or pieces of code are called ‘exploits’ and can be purchased through black hat hacking forums. The prices of these exploits vary, with zero-day exploits generally priced higher. So if an attacker like Joe gets a hold of an exploit, is he good to go? Not quite yet.

One exploit typically can only target one vulnerability. It’s hard to predict what vulnerabilities are present in a system. So if Joe only targets one vulnerability, chances are he would only be able to compromise a few systems, while ignoring other systems that have other vulnerabilities. If Joe wants to infect those systems too, he needs to acquire exploits for those vulnerabilities as well.

It gets even more complicated because different exploits might be written by different authors. That means, he would have to communicate with several parties. It would be so much easier if he could only deal with one vendor. That’s where exploits kits come in.

An exploit toolkit or kit is a tool, usually written in PHP, that already comes with a collection of exploits. The people who develop exploit kits purchase exploits from exploit authors and package them into one tool. They (the exploit kit developers) then sell their kits to people like Joe.


Some exploit kit licenses have validity periods. Once the license subscription expires, you would need to purchase a new subscription to continue using it. Other exploit kits are offered as a subscription service. The rates typically range from a few hundred dollars per month to a couple thousand dollars per month. This typically includes tech support and updates or patches. For example, there may be patches that introduce new evasion techniques, new exploits, or support for certain malware.

Some of the most notorious exploit kits in recent history include:

  • Angler
  • Rig
  • Neutrino
  • Blackhole
  • Sweet Orange
  • Nuclear
  • Magnitude


Inside an exploit toolkit

When an attacker purchases an exploit kit, he’ll be provided with a management console. Here he’ll see various information and statistics pertinent to his exploit campaign. This is to help him monitor how the overall campaign and the individual exploits are performing.

In addition to the number of times each exploit type was delivered, the attacker will also see where those exploits actually landed. Mostly, he’ll see the countries that were targeted. Cyber attackers normally want to target specific countries (US is the usual favorite), so they want to verify whether the campaign was actually successful in that geographical region. Toolkits can focus on specific areas through geolocation based on the victim’s IP address.

Another key piece of information is the victim’s Operating System and web browser. Certain malware only works on certain operating systems (e.g. Windows), so it’s important for the payloads to be dropped in those systems.

Here’s a screen grab from a Youtube video showing Black Hole EK’s management console:

screengrab blackholeek

Lastly, a toolkit would typically include a module for uploading or selecting the desired payload. The attacker can either pick from a selection of payloads bundled with the kit or upload his own payload. Some of the most commonly used payloads include:

  • Click-fraud bots (e.g. Bedep)
  • Ransomware (e.g. CryptXXX, TelsaCrypt)
  • Spambots (e.g. Tofsee)
  • Banking Trojans (e.g. Zeus, Panda Banker)
  • Worms (e.g. Qbot)
  • Botnets (e.g. Andromeda/Gamarue)
  • And many others


How exploit kits work

There are different kinds of exploit kits, but the most popular are those designed to exploit vulnerabilities in web browsers and browser plugins like Flash, Silverlight, Java, and ActiveX.

Below is a simplified diagram illustrating a web-based exploit kit. The actual set ups are often far more sophisticated than this and can also involve other processes, but this should give you an idea of the basic structure.



1.    Victim lands on a compromised website

The first stage of an exploit kit attack begins when a victim visits a compromised website. These are usually popular, legitimate websites, including blogs, news sites, and social networking sites. Examples of high-traffic sites that have already been hijacked by exploit kit attackers in the past include: BBC, Yahoo, MSN, AOL, MySpace, Forbes, and New York Times, to mention a few.

The way attackers do this varies. Some attackers target vulnerabilities in CMS (content management system) plugins or in the CMS themselves. Others, like those that carry out domain shadowing, take advantage of weak login credentials. There are also those who perform cross-site scripting, SQL-injection, or FTP compromise. Perhaps the most popular method, though, is malvertising.

In a malvertising campaign, attackers target ad networks. This then allows them to reach a wide range of legitimate (and often high-traffic) websites without having to hack into the websites themselves.


2. Victim is redirected to the exploit kit’s landing page

Once the victim visits a compromised site or one that serves malvertising-infected ads, the victim’s browser will then be redirected to the exploit kit’s landing page. This redirection is carried out through an HTML iframe, 302 cushioning or some surreptitious code that the attacker previously injected into the legitimate website or malicious ad.

This article about the Stegano exploit kit offers a nice example of how a typical malvertising campaign and the use of a banner ad laced with a malicious script works.

As soon as the victim gets redirected to the landing page, the profiling process begins. Here, pertinent information regarding the victim’s browser and its plugins is collected. What the exploit kit will want to know is the kind of vulnerabilities that are present on either the web browser or the browser’s plugins. Because each browser or plugin version will have already been associated with a set of known vulnerabilities, it’s usually enough to just determine the version numbers.


3. Exploits are served

Once the version numbers (and consequently, the corresponding vulnerabilities) have been identified, the exploit kit will know which exploits to deliver. In most cases, the landing page is only used for profiling. The exploits and the payloads are usually hosted on a separate server. In fact, in many cases, these two (exploits and payloads) are likewise separated as well.

The first thing that gets delivered to the victim’s browser are the exploits. As you have already learned, these exploits will take advantage of the vulnerabilities that have been previously identified. If the exploit or exploits are successful, the exploit kit then delivers the final blow.


4. Malicious payload is delivered

At this final stage, the exploit kit drops whatever payload it was configured for. As mentioned earlier, the payload can be ransomware, a keylogger, a banking trojan, or just about any type of malware.


How exploit kit attacks succeed

The main reason that these kits are so effective is that the malicious payloads are usually delivered without the victim having to click or intentionally download anything. All the victim has to do is visit a compromised site, and the payload will be downloaded automatically in the background.

Known as a drive-by-download, this covert method is a staple in many exploit kits and is one of the primary reasons they succeed in delivering various forms of malware. Since the victim doesn’t notice anything alarming or suspicious, they are less likely to think anything is amiss.

Another major reason why these kits succeed is because a lot of people don’t patch their software. Patches typically include security updates that fix known vulnerabilities. So, if people don’t patch, the vulnerabilities will remain. In fact, some exploit kit exploits have been found to target vulnerabilities that have already been known for years. Until we have a better solution for handling updates or remove the incentive to launch these attacks, there will be a busy trade in exploit kits.