Cybercrime, while lucrative, has barriers to entry. Historically, to become a successful hacker, you had to have the knowledge and skills to create your own attacks from scratch. However, all that has changed with the proliferation of the underground market for phishing-as-a-service. Now, anyone can become a cybercriminal at the click of a mouse – all they need to know is where to look and what they want to pay.
What is phishing-as-a-service?
Phishing-as-a-service, or PhaaS, is a black-market industry where skilled cybercriminals sell access to the tools and knowledge required to carry out a phishing attack using a software-as-a-service style model.
Cybercriminal ‘vendors’ use dark web forums to advertise and sell ‘phishing kits’, toolkits that include everything needed to carry out an email attack, including curated databases of targets and branded email templates. Some vendors are more specialised – for example, offering access to collated open-source intelligence (OSINT) to enable cybercriminals to create highly convincing attacks, or the back-end code needed to create fraudulent webpages that mimic well-known brands to harvest credentials.
PhaaS is growing in popularity: for vendors, it’s a way to make money from their phishing skills with less risk of being caught, and for their customers, it’s a quick and easy way to pull off a professional-level phishing attack. It’s become a highly commercialized dark web industry, with recent researcher published by Egress observing vendors offering polished platforms that make it simple to build a campaign of malicious emails.
And cybercriminals don’t need to be flush with cash to get started. The research found that kits are listed for as little as $40. Some vendors were even observed offering Black Friday discounts to drum up business.
By making these tools readily available, PhaaS has significantly lowered the technical and financial barriers to entry to cybercrime, opening the floodgates for inexperienced hackers to begin launching their own attacks. Even more worryingly, the research published by Egress also found that some vendors have begun to advertise their phishing kits on the clear web, making them accessible even to those who don’t know how or have the means to access the dark web.
All of this makes it easier for cybercriminals to infiltrate your organization.
Why is PhaaS a problem?
The proliferation of PhaaS spells trouble for many organizations. Phishing is already a major security threat – research by Egress found that 73% of organizations have been the victims of successful phishing attacks in the last year. The commodification of phishing kits will only make the problem worse.
By lowering the barriers to entry, PhaaS has encouraged a new generation of cybercriminals to try their hand at phishing – and the return on investment for them is significant. PhaaS has made phishing more profitable – cybercriminals no longer need to spend time building their own email templates or false websites to scrape credentials or payment information. All they need to do is download a kit from a PhaaS vendor and follow the instructions to launch their attack. The time between ideation of attack and ‘fulfilment’ is minimal.
In addition, PhaaS also means that existing individual cybercriminals can easily ramp up the frequency of their attacks.
How can organizations protect themselves?
There’s little that individual organizations can do about the PhaaS industry itself – it will continue to increase in popularity as long as it remains profitable. However, organizations can take steps to better protect themselves from the increased volume, and sophistication, of the attacks produced using PhaaS.
While many organizations have invested in security awareness training to help their employees to spot malicious emails, it can only go so far in solving the problem. Organizations need to invest intelligent technology to win the battle against sophisticated phishing attacks. Solutions that use a zero-trust approach, combined with machine learning and natural language processing (NLP) technologies, can detect even the most advanced attacks.
Intelligent technology can also be used to enhance existing security training programs, partnering with users to improve employee awareness and help them to identify the signs of a phishing attack. Using these real-time teachable moments, technology can ensure that employees are the organization’s first line of defence against the next generation of cybercriminals.