Wouldn’t it be nice if threat actors could give us a break for the holidays? A short breath of fresh air from the never-ending, year-long influx of cyberattacks? With the holiday season fast approaching, threat actors are poised and ready to take advantage of the annual shopping surge. As holiday spending rises, cybercriminals are looking to capitalize on the increased spending for their own gain.
In our research of holiday phishing, we discovered something interesting: while most phishing attacks occur between Black Friday to the end of the year, the underground discourse surrounding phishing tools and tactics peaks several months earlier. This suggests that threat actors lay the groundwork for their phishing attack campaigns long before deployment.
Phishing appears in two broad categories on the deep and dark web. First, on underground forums, actors discuss tactics, techniques, and procedures related to phishing. Second, on underground markets, actors sell phishing services and tools, such as kits and templates.
We looked at the total number of mentions pertaining to phishing and related terms on underground forums. As reflected in the graph below, in the third quarter of 2021 and 2022, there is an increase in activity on this topic compared to the first half of the year.
Figure 1: Phishing discourse on underground forums. Figures for 11-12/22 are projected based on trends from previous years.
A deeper analysis of these posts reflects a general demand for new tools, tactics, and techniques to carry out attacks. For example, in the post below, an actor is looking for a Facebook “scam page” (underground slang for a phishing site). Most of the time, an actor will look for a service that allows editing the site and changing the targeted organization or, on the other hand, a page ready for deployment (figure 2).
Figure 2: threat actor is looking for a Facebook scam page.
Further, the example below depicts another conversation between threat actors, this time discussing the various methods and tips for collecting cookies from victims’ computers after they open a scam page. In this particular example, the actor specifies their intention to collect cookies with a 2FA bypass. Again, this can be used to steal credit card data and other sensitive financial credentials.
Figure 3: Phishing scam work offered for threat actors.
Phishing Tools and Services
Meanwhile, as the forums provide a venue for discussing techniques and tactics, the underground markets host buyers and sellers trading the phishing tools and services needed to launch the attacks, including scam page templates and phishing kits.
The graph below reflects that the total number of phishing-related products for sale on underground markets peaked in the third quarter of 2022, increasing from the beginning of the year, similar to the activity in underground forums.
Figure 4: Phishing-related products offered for sale on underground markets.
Here are some examples of phishing kits and templates sold on underground markets:
A threat actor advertises a “PayPal” scam page for sale on a popular forum (figure 5). The user must reply to the post to get complete information regarding the files (to raise the actor forum's reputation).
Figure 5: 2022 Paypal scam page attached with a download link.
In another example, a threat actor offers his coding services, from building a scam page for $250 to a live panel attached to the scam page for $750. Those services can be managed for different scams and edited to impersonate any vendor. The also actor offers prepared phishing pages targeting Amazon, the Bank of Scotland, and others.
Figure 6: Coding services for phishing/scam pages offered for changing prices.
Just under a quarter (23%) of all phishing products for sale in underground markets target Amazon. One of these is shown below, in which a bogus Amazon payment page is advertised for sale.
As the holiday shopping season approaches, shoppers are expected to spend considerably on online shipping. Attackers follow the money and will continue innovating new ways to steal cash, credit card information, and e-commerce credentials.
Protecting against phishing attacks is challenging. Many anti-phishing mechanisms operate, in part, by blocking newly-registered domains. Attackers have countered this by setting up infrastructure several months before the planned attack. In the constant game of cat-and-mouse between defenders and attackers, defenses must remain just as agile.
Consumers must always maintain constant vigilance when opening suspicious links from unverified senders, specifically when they are asked to enter personal information.
Before shopping online, be wary of scams and other fraudulent schemes. Have a secure and happy holiday season!