Security journalist, Brian Krebs, has an interesting post unpacking particulars about who uses phishing, a combination of exploiting flaws and rudimentary social engineering, and the economies of scale involved. The main example he details is of a single person.
“This guy was setting up two to three new phishing sites each day,” Phishlabs founder and president John LaCour said. “If you accept conservative estimates, that this guy is stealing about 10 [sets of] banking credentials per phish, and that conservatively each of these stolen credentials causes $500 in losses, we’re talking about more than $4 million a year he’s probably making.”
The amount of detail collected on this phisher is highly informative. PhishLabs was able to chart his workload throughout the day. Their conclusion? The curve drawn out from that informations looks like what you would expect from anyone working at a day job.
It was a pretty clever bit of counter-hacking and investigative work that netted these findings for PhishLabs. As Krebs concludes, however, this one phisher may as well be bait. Another study he mentions, published by the Anti-Phishing Working Group, suggests the vast majority of phishing attacks are perpetrated by a single criminal gang.