Phishing, a cyber attack often used to steal user data like login credentials and credit card numbers, is not a new phenomenon. This practice has been around for almost as long as email itself, and has always remained one of the most important tools in the cybercriminal’s toolkit.

Although the world has become increasingly more aware of the risk posed by these attacks, phishing still maintains its status as one of the most dominant forms of cyber attacks. Recently, an ESET research found a 7.3% increase in email-based attacks between May and August 2021. The majority of them were part of phishing campaigns.

The top industries most targeted by phishing attacks according to a report published last year were financial institutions (25%) and Social Media (23.6%).

The dark web is one of the most comfortable spaces for cybercriminals to discuss, plan or execute phishing attacks. Discussions on phishing in the dark web are usually center on two main topics:

The trade of Phishing Kits

Here you can find automation tools that either already contain a ready-made fake site of a known business site or they can automate the process of creating one. We could find fake sites for Facebook, Microsoft365, Amazon and others.

Below is an example of this kind of phishing kit on popular hacking site XSS:

Here you can see the threat actor is selling a fake site for WalletConnect, a known open-source protocol that connects between crypto wallets.

The trade of compromised identities

Many cybercriminals who look to gain access to restricted accounts usually buy compromised business email from someone who has already done the work for them. After obtaining them they can carry out scams, hacking but also spear phishing. Successful “phishermen” are happy to sell access to executive accounts on underground forums for $250 to $500, and the market is still in its pandemic-boom phase.

A good example for such a dark web marketplace is the Genesis market, where there are many resellers that use malwares and info stealer tools to intercept accounts and emails. Eventually, hackers are buying these compromised business accounts (BEC – Business Email Compromise) which they use to perform spear phishing against their targets. This can lead to a major breach against the target organization.

In the example below, the vendor is offering cookies to the websites he is listing in his ad. By using these cookies, another attacker can enter the account with no authentication.

Only several months into 2022, we can already see that phishing remains one of the leading cyber attacks. With email being the most common compromised entity, and with 60% of targeted companies going out of business within six months after a cyber attack, identifying phishing threats is key to any business today. It is important to remember that time is of essence so identifying phishing threats at an early stage can significantly help in mitigating financial and reputational damage to businesse.