Recorded Future analyzed current data from the Recorded Future® Platform, information security reporting, and other open source intelligence (OSINT) sources pertaining to phishing and spamming that facilitate threat actor campaigns. This report expands upon findings addressed in the report “Combating the Underground Economy’s Automation Revolution”, and will be of most interest to network defenders, security researchers, and executives charged with risk management and mitigation.

Executive Summary

In our March 2020 report “Combating the Underground Economy’s Automation Revolution”, we identified automated services and products that facilitate criminal activities. Phishing and spamming are attack vectors that often operate in tandem by bypassing network security settings, maintaining presence on targeted machines and networks, and extracting credentials for nefarious activities. This report dives further into phishing and spamming, identifying customized phishing and spamming kits and services within select dark web forums and analyzing widely used variants, and providing mitigation strategies to identify and deter phishing and spamming products attempting to intrude into your network.

Key Judgments

• Developers of phishing and spamming tools are creating kits and offering services that are customizable, automated, and designed to be user friendly to cater to non-technical and amateur users.
• Threat actors are using phishing and spamming services to bypass network security settings with the intent of deploying malware.
• Threat actors are discussing specific phishing and spamming variants on different forums, with “Multithread WebMailer GoMAIL Pro Edition” and “uPanel” being widely advertised and discussed.
• Spamming and phishing as a service (PhaaS) are popular topics of discussion between threat actors on forums. Some commonly discussed tools include Evilginx and MoneySpamBot.

Editor’s Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.