2021 Mid-Year Phishing Report
Authored by Joel Garcia, Cyber Security Operator III
2021 has kept defenders on their toes. From the Solarwinds breach to the Colonial pipeline attack, cyber attacks and leaks seem to be omnipresent in headlines.
The prolific number of attacks and monetary incentives are driving change in the threat landscape, leading to attack specialization. This edition examines the significant growth seen in the Initial Access Broker (IAB) and Response-Based Threat ecosystems.
Initial Access Brokers (IABs)
Initial Access Brokers
Gone are days of ransomware groups breaking into networks on their own, or using email as a primary payload delivery method. The cultural shift to remote work and ever-increasing ransoms has transformed ransomware gangs from cybercrime syndicates into full-blown economies, paving the way for specialist positions like Initial Access Brokers (IABs).
IABs are threat actors that gain and sell unauthorized access to target networks in cybercrime marketplaces, typically fostering a relationship with one or several ransomware groups. Underground sites like Exploit and Raidforums are where IABs advertise their wares.
Pricing is dependent primarily on company revenue, also factoring in the size of the network and level of access provided by the account.
Credentials sell for an average for $1,000 – $5,000, with the largest enterprises fetching up to $400,000. Credentials phishing, finding direct web RDP exposure with weak passwords, and unpatched VPN vulnerabilities are tactics used by threat actors.
Response Based Threats
Email threats come in various levels of attacker engagement. Automated bots blindly attempt to spread malware attachments with little or no obfuscation, easily blocked by filtering. One of the highest levels of involvement are response-based threats where the threat actor directly interacts with the target.
Scammers engaging victims is nothing new. Advanced-fee (419/Nigerian prince) and Business Email Compromise (BEC) attackers impersonate parties (colleagues/vendors) to transfer resources to accounts they control.
Malicious call centers are another pervasive response-based threat, with the intent of getting someone on the line to take an ill-advised action. Done over the phone, VOIP, or voice messages, vishing (voice-phishing) are viable threats. Feigning system errors, tech-support centers scam people out of funds for supposed servicing. One Initial Access Broker (IAB) uses call centers to spread BazarLoader malware, dubbed the BazarCall method.
Operators of BazarLoader, a backdoor access malware, use a combination of phishing and vishing to increase their victims. First, a subscription-style email is received, instructing the target to call the attacker; or else their card will be charged, or access to a resource will be lost. Call operators direct victims to a fake company website, where they download and enable macros on a malicious BazarLoader document. Once enabled, macros retrieve the rest of the payload, and post-infection activities like credential theft begin. Having established ties to the Ryuk ransomware group and claiming the top payload for Q3 (PhishLabs), this malware threat is not going anywhere.
Threats are everywhere and varied in their tactics. Proactive security controls are the way to stay ahead. Two -factor authentication, VPN-protected remote access, and mature vulnerability management are excellent measures to defend against Initial Access Brokers. For response-based attacks, be wary of unsolicited emails from unknown businesses, particularly those delivered with a threat (charges/loss of access) should raise a red flag; train staff to recognize high-pressure tactics. If possible, reach out to the business or individual via a different communication channel.
Stay vigilant, be proactive, defend your data
Sources Initial Access Brokers: