Phishing continues to mature as a commercial category. Underground markets now sell ready-made phishing toolkits to operators who lack the skill to build them from scratch. The toolkit-as-product model has shifted the threat profile substantially.
This post is a structural assessment of where the toolkit market is in spring 2004 — necessarily based on second-hand reporting and public analyses, since I am not directly purchasing toolkits to test them.
What is being sold
The current generation of phishing toolkits typically include:
- Site templates for major financial institutions. The templates are visually accurate, with current branding, current page layouts, current workflows.
- Credential-harvesting infrastructure. Captured credentials are written to files or transmitted to external collection servers automatically.
- Anti-detection features. Behaviour designed to avoid known phishing detection mechanisms — varying URL patterns, varying content layout, deliberately-broken page elements that confuse automated scanners.
- Documentation. Some toolkits ship with installation instructions and operational guidance.
- Updates. When target sites change their layouts, toolkit operators sometimes ship updated templates; the customers receive the updates.
The skill barrier to operating a phishing campaign has dropped from "experienced developer" to "someone who can follow installation instructions". The population that can launch phishing has grown substantially.
How the market operates
The toolkit transactions occur in underground forums and IRC channels. Specific patterns observed in public reporting:
Reputation systems. Forum-based feedback from previous customers; reputation matters.
Pricing structures. Toolkits range from a few hundred dollars (basic templates for less popular targets) to several thousand (current templates for major banks). Pricing is roughly stable across the year.
Payment mechanisms. Various intermediated systems — escrow services within forums, alternative payment channels, occasionally direct bank transfers (which is, given the customers' line of work, slightly amusing).
Customer support. Some sellers provide ongoing support — bug fixes, template updates, configuration help. The seller-buyer relationship sometimes persists for months.
This is functionally a software-as-a-service market for criminal use. The economic infrastructure has matured to mirror legitimate commercial software practices.
What this implies for defenders
Three implications.
The targets are no longer self-selecting. Earlier phishing campaigns required the attacker to choose a target they could plausibly impersonate. The toolkit market means that any UK bank, any major retailer, any service provider can be targeted by anyone willing to pay the toolkit fee. The previous defensive posture of "this target is too small to interest sophisticated attackers" no longer holds.
The detection arms race has accelerated. Each anti-detection feature added to a toolkit produces a corresponding signature update by anti-phishing services. Each signature update produces a corresponding modification by toolkit authors. The cycle is now operational; the gap between detection and bypass is structurally narrow.
User education has bounded effect. Users cannot reliably distinguish high-quality phishing pages from legitimate sites. The visual fidelity is too high; the workflow accuracy is too good. Education helps reduce response rates among careful users; it does not solve the problem.
What operators should do
For organisations that are potential phishing targets:
Two-factor authentication for sensitive operations. Credentials alone should not authorise sensitive transactions. The implementation cost is bounded; the security improvement is substantial.
Customer education within bounded expectations. Education campaigns produce some reduction in response rates; the reduction is modest; the campaigns are still worthwhile but not sufficient.
Active monitoring for impersonation. Specific organisations now actively scan for phishing pages impersonating their brands. Takedown requests, registrar coordination, hosting-provider notification. The operational cost is real; some organisations contract this out to specialist services.
Anti-phishing browser-toolbar partnerships. Several UK banks are now piloting partnerships with browser vendors. The toolbars warn users of suspected phishing pages. The deployment is partial; the effectiveness is bounded; the trajectory is positive.
For mail relay operators:
Sender authentication where deployed. SPF is starting to see partial deployment. The trajectory will improve over years.
Aggressive content filtering for known toolkit signatures. The signatures lag; the catch rate is meaningful but not complete.
Clear user warnings. When suspected phishing is filtered, the user benefits from a specific warning rather than silent rejection.
What I am doing on my own infrastructure
For my own setup: I have used unique passwords for years; two-factor authentication is enabled where available; I am cautious with email from unexpected senders. My direct exposure to phishing is bounded.
For friends and small organisations I help informally: an annual conversation about phishing patterns. The conversation reduces response rates within my immediate circle; the broader effect is bounded.
For my Snort sensor: rules for known toolkit-deployment signatures. The signatures fire sometimes; the alerts feed into the broader structured-log analysis workflow.
What I expect through the second half of 2004
Three predictions:
Toolkit-driven volume continues growing. 95%. No structural change visible that would reverse the trajectory.
A specific UK retail-bank phishing incident with substantial public visibility. 60%. The cumulative pressure is mounting; specific incidents will become public.
Initial deployments of structural defences (two-factor authentication, browser toolbars). 70%. The pressure is sufficient; specific banks will be early movers.
For my own writing: more on phishing as the category develops. The structural shift to commercial enterprise is the meta-pattern; specific incidents are the data.
More in time.