This is right on the cusp of what I think is worth talking about since the volume is so low. It’s not particularly interesting that Nordea.se was phished (article in Swedish). The part that’s interesting is that a relatively small market segment is being attacked. This is common behavior for phishers, but in this case I think it’s more interesting than most for a few reasons. The bank is small compared to most of the more common attacked banks and it’s non-english.
Nordea.se is what I like to call a phishing probe. Phishers often attempt smaller regional banks to see if they can get a spike in returns. Either they buy spam lists of users or find other ways to attempt more targeted demographics but in the end the attack is the same. Phishers like to try these types of things because it costs them next to nothing to attempt, and it can be a huge return on investment.
The economics are pretty simple. Let’s say 100,000 emails were sent. For a pretty targeted list that might cost anywhere from $100 to $1000. It may cost $100 to get somoene to break into a server for you and throw up your PHP kit that you probably already had if you are a regular phisher. It might cost several hundred for the card blanks and the card writer for making the fake cards but that’s a one time cost. Setting up the email drop for the passwords is free. So once the card number has been stolen what can you get for it?
Typically you can only pull out $300 per card. It’s dangerous to try more than once. But it’s not unusual for phishers to sell the numbers after they’ve been used. They can get up to $75 for a card number with pin. So a max of $375 if they do all the work themselves. $375 x 100 users = $37,500. When you subtract expenses you’re still well above $30,000 for a single haul. That’s not a bad haul for someone who is probably living in a country where that is far higher than the annual average income.
Even though Nordea.se is a small bank in comparison, the yield is still high enough to make the economics worthwhile. These probing techniques are not just worthwhile from an experimentation perspective but even if the yield is remarkably low (0.1% of users really is not much) the potential revenue is dramatic.