The fruit fly ( drosophila melanogaster ) is a simple organism: it has four chromosomes and a fleeting life expectancy that under ideal conditions reaches thirty days. Half of the swarm of fraudulent pages that flit around the internet stealing data and credentials from individuals and companies last less than a fruit fly. Specifically, less than seven days. “If the hook is good, it gives time to do damage. Cybercriminals focus their campaigns on local themes such as Father's Day or Pentecost. I have seen some and I identify them because I dedicate myself to this. But they are very well worked, ”explains Marc Rivero, senior security researcher at the GReAT team at Kaspersky.
The computer security firm has monitored more than 5,307 pages of phishing – identity theft – for a month to make a portrait of the life cycle of these portals. After 24 hours, 1,784 had already ceased to exist. A month later, only 28% resisted. Who kills the scam pages? According to Rivero, in most cases they are carried out preventively by their own creators: “The tactic used now is to carry out very short-term but very effective campaigns at the level of social engineering, with well-marked messages and with a lot of credibility, and as soon as they can, they deactivate the structure. With this they achieve that when a researcher prepares to report to them and provides evidence of what was in that domain, the one who hosts the content does not find anything ”. Those who use this technique can also activate and deactivate the pages at their convenience.
To extract this information, the researchers first collected fraudulent pages. Then they implemented an analysis program that checked their links every two hours and saved the response obtained. Then the previously stored content was compared with what was obtained on the new visit to detect variations in the headers or in the size of the site. “This information helps us to understand their tactics, techniques and procedures. Changing a domain and IP is easy, but changing the way you behave is not so easy. If we manage to make a profile of the attackers, we can anticipate their steps because we already know them ”, explains Rivero.
Are the longest-lived pages the most successful? Not necessarily, Rivero explains, but what this does demonstrate is the strength of the industry that has flourished around these practices. “There are times when cybercriminals agree to post content on servers that offer what is called bulletproof hosting,” he says. The companies that offer these services locate their servers in jurisdictions where there is no legal obligation to unsubscribe content as a fraudulent page. “They guarantee whoever hosts the content there that they will totally ignore requests from the security forces to block that content. These campaigns can last for years because it is very difficult to knock them down ”. What can happen, for example, is that these cases are reported to internet service providers and that they are in charge of cutting off access or that the reputation systems of the installed antivirus warn the user.
Resistance to change
From this review to life and the death of the pages created to supplant other entities, more than just their short existence is revealed. None of the more than 5,000 portals analyzed by Kaspersky changed the organization it was posing as. According to the researchers, this strange fidelity responds to practical reasons: if you have registered the address amaz0n.xyz to impersonate the e-commerce giant, it does not make sense that from one day to the next the same link leads to a bank page. It is best to leave the existing domain and start from scratch with a new one.
This reluctance Changes can also be seen in the content section: only 1.15% of the monitored pages made any changes. Among those that did, stand out the sites disguised as video game awards PlayerUnknown's Battlegrounds , better known as PUBG. With each new season of this title, new items and mechanics are released that enrich the game and that they give away within the platform. Cybercriminals interested in stealing and reselling these accounts reinforce the credibility of their claims by periodically updating the gifted items to coincide with the current seasons.
Other sites that strive to keep up-to-date, and demonstrate this by sporadically modifying their content, are those that pose as dating sites, or email platforms. “Years ago the pages were poor, with grammatical mistakes. Now everything is industrialized to the point that it is very easy to do phishing . Without exaggeration, in 20 or 30 minutes you can have everything ready “, explains the Kaspersky expert.
You can follow Newsfresh TECHNOLOGY at Facebook and Twitter or sign up here to receive our newsletter weekly.