I’ve investigated a metric fuckload of these cases at work.
Usually, the emails are from public leaks. So, free email list.
The hosting? More often than not, we find phishing panels on hacked web servers exploited through vulnerable Wordpress plugins or whatnot. So the servers are free.
Sending the emails? Usually a shitty PHP bulk mailer uploaded to the same compromised server as the phishing kit.
The effort on a lot of this is incredibly low, the cost is “time”, etc. public mail lists, infra compromised using public exploits, etc.
Usually, the emails are from public leaks. So, free email list.
The hosting? More often than not, we find phishing panels on hacked web servers exploited through vulnerable Wordpress plugins or whatnot. So the servers are free.
Sending the emails? Usually a shitty PHP bulk mailer uploaded to the same compromised server as the phishing kit.
The effort on a lot of this is incredibly low, the cost is “time”, etc. public mail lists, infra compromised using public exploits, etc.