Probing the online phish market reveals thriving, profitable underworld

A new study has lifted the lid on the booming ecosystems of fake websites that underpin phishing scams, revealing a wide variety of prices and products from cheap knock-ups to bespoke fraud services offering concierge-level customer support.

Infosec firm Clearsky surfed popular Russian and English-speaking underground boards and forums, looking for fake webpage creation services. Researchers then attempted to make direct contact with vendors of fake sites via instant messaging (mostly Jabber) to tease out more intelligence about their skills, offers and pricing.

Clearsky went through this process with 15 different phishing vendors, checking the prices for two main types of fake sites: a fraudulent banking login page designed to harvest credentials, and a counterfeit page that would not exist on a real banking website designed to trick marks into entering their credit card number, expiration date and CVV number.

In addition, Clearsky's team checked whether the vendors are just duplicating the original website, or developing it from scratch. Duplicate websites are easier to produce but are more likely to be discovered and taken down quickly.

In many cases duplicate websites are blocked by Chrome/Safari, one phishing site vendor told the security researchers. Another vendor offered to add a filter to prolong the pre-exposure lifetime of the fake website.

More qualified vendors discussed how to keep fake websites under the radar for the greatest amount of time while script-kiddie types fail to grasp the difference between between simply duplicating a website and developing a fake from scratch, Clearsky discovered. Some of the vendors, duplicate the website and make basic "cleaning" i.e. basic changes in HTML and content, it adds.

Two different types of workers are required for fake website creation: the developers and the designers. Some developers work with third-party designers when a design or change in the websites is required.

The average price for banking login pages is about $60. Those who just duplicate the original site charge about $20-30 and those who develop the fake website from scratch ask for $50 or more, with some vendors quoting up to $200.

When researchers asked about pricing for additional pages that don't exist at real websites – those designed to steal credit card data – the fee tended to be significantly higher because it required extra development and design work.

Some vendors also develop tools and control panels (example below) that make it easier for would-be cybercriminals to collect and potentially resell stolen credentials.

Some vendors also publish brash advertisements (example below) although all actively push sales of their illicit services through various incentives, Clearsky reports.

"Most of the vendors work very hard to promote their services, constantly pump up their topics in different forums, and although the basic pricing of most of them is relatively low, in order to gain proper reputation, they offer various kinds of actions and discount," the researchers said.

For example, one vendor offered free creation of fake websites on .de top-level domains as part of a limited-time offer.

Delivery times varied with some vendors willing to complete their work in anything from ten minutes to an hour, while others asked for several days.

Clearsky's full report, The Economy behind Phishing Websites Creation, can be found here (PDF). ®