Blog

The Economy Behind Phishing Websites Creation

The main aim of this research is to understand and describe the eco-systems of fake websites developers and designers, and the basic economy behind creation of fake websites that impersonate legitimate websites of banks, credit cards companies and corporations. Mostly, the aim of those fake websites is stealing credential (banking or corporate) or credit cards information.

As part of this research we checked dozens of popular Russian and English-speaking underground boards and forums, looking for vendors’ topics that provide services of fake webpages creation.  On the second stage, when it was available, we conducted HUMINT operation and made a direct contact with those cybercrime vendors of fake sites via instant messaging (mostly jabber) to get deeper understanding of their skills, works and pricing.

Totally, we have checked about 15 different phishing vendors, when the main criteria were the skills of the vendor, the prices and how he makes the fake site.

We have checked a price for two main types of fake sites:

  1. Banking login page that is similar to real one – when the aim is to steal the login and the password to banking account.
  2. Second stage to the banking login page in order to steal additional information – page that do not exist in real bank website and asks the user to enter their credit cards number, expiration date and CVV number.

In addition, we have checked whether the vendors are just duplicating the original website, or developing it from scratch/partially.

Why does it matter? – Because mostly the duplicated websites are being exposed and taken down quicker, and as one vendors (Vendor9) told us – duplicated websites, in many cases are being blocked by Chrome/Safari:

Some of the vendors (like Vendor5), also add some kinds of filters to prolong the time of the fake website till it is being exposed:

We have seen that some of the vendors, mostly the more qualified ones are aware of those issues and mention it in the conversation, while the lower quality “developers”, or in other words the script kiddies who try to earn money don’t even understand what is the difference between just duplicate a website and develop a fake from scratch. To note, that some of the vendors, duplicate the website and make basic “cleaning” i.e. basic changes in HTML and content.

Below is a table that summarizes the key points of the research (to note that in the public version of this report we censored the nicknames of the vendors. This is done for the purpose of not promoting them):

 

We can see that there are two different types of professionals who are required to fake websites creation: the developers and the designers. Some of the fake websites service providers, who are developers, work with 3rd party designers when a design / change in the websites is required. We can see it from our conversation with one of the vendors named “Vendor2”:

From pricing point of view, the average price for banking login page is about 60$, when the pricing is mostly divided into two groups, those who just duplicate the original site mostly price it at about 20-30$ and those who develop the fake website from scratch price it at 50$ or more, when some of the vendors ask about 150-200$ for their work.

When we asked for pricing for additional page that not exist at real websites, for grabbing and stealing credit cards data, in some cases the price was significantly raised because this additional page required some development and design work, and not just duplicating existing page.

Some of the fake sites vendors, also develop different tools and panels that allow them to collect in a proper and comfortable way the stolen credentials and offering it for additional payment to fake websites buyers.

One of the additional services that some vendors offer is control panels that allow collecting all the required data and log in convenient manner.

One panel is introduced and beign sold by “Vendor3”:

Another one is built and developed by “Vendor5”:

Most of the vendors, work very hard to promote their services, constantly pump up their topics in different forums, and although the basic pricing of most of them is relatively low, in order to gain proper reputation, they offer various kinds of actions and discount.

For example, one of the young leading vendors of the last year, “Vendor1”, offered free creation of fake websites for TLD .de for limited time:

This quotation, as well as most of the quotations, and conversations with the vendors, was originally in Russian, and were translated, edited and redacted when it was necessary, while we tried to keep the essence of the chat and the language level as near to the original as it was possible.

In terms of time, there are vendors who are ready to conduct their work in timeframe of ten minutes or within an hour, but there are vendors who ask for several days.

Some of the vendors also publish colorful advertisements:

       

 

As they are acting as service providers, most of the vendors are very polity and patient to answer any questions that potential clients have (even too polite):


One of the vendors we had a conversation with, mentioned also some interesting points about creating good banking fakes:

In this research, we present in depth the vendors, their modus operandi and pricing and examples of their previously done works.

Read the full report:  The Economy behind Phishing Websites Creation

For full, uncensored version of report – email info@clearskysec.com