Phishing is a bigger threat than ever before, with millions of emails sent out every year, thanks in part to the rise of phishing as a service (PaaS). In this blog post, we'll look at what phishing as a service is and how you can protect yourself and your business from phishing attacks.
What is phishing?
Phishing is an effective way to get people to reveal private information. Hackers send an email, text message or social media message where the purported sender appears to be from a legitimate source, such as a bank. The victim clicks on a malicious link in the message, tries to log into an account on a fake website, and their login details are then stolen.
Clicking on a link also allows the recipient to unknowingly download malware that can take over computers and mobile devices.
Scammers typically go after personal data such as social security numbers, account details, passwords, contact details, etc.
Phishing incorporates social engineering techniques, such as those used in spear phishing targeted at specific individuals, and this is one of the reasons why so many people continue to fall for phishing, even though there has been much more focus on the area.
The success of a phishing campaign depends on how realistic it is. This requires a skill set that many cyber criminals do not have and used to be a significant barrier to creating convincing phishing messages. But phishing as a service has changed that.
What is phishing as a service?
Phishing as a service (PaaS) is part of a trend where cyber criminals use their technical skills to become service providers. Instead of carrying out cyber attacks on their own, they help others to carry out attacks in return for payment.
This model is based on the software as a service business model, where customers get access to software for a monthly fee. This trend has also spawned ransomware as a service (RaaS).
This provides cybercriminals with a new revenue stream and allows most people to carry out more professional attacks as they do not need to have special technical skills themselves.
PaaS vendors advertise their products as phishing kits. They are mainly sold on the dark web, but some phishing kits are now available on the surface web (i.e. the general internet).
Professional fake emails with phishing kits
A phishing kit contains everything needed to launch a successful phishing attack. They include email templates to send emails that appear to come from legitimate companies, as well as templates for the fake websites that victims are sent to. Some phishing kits also include lists of potential targets, such as large companies with sensitive data.
Because phishing kits target people without special technical skills or knowledge, they also often contain detailed instructions and customer support.
Phishing kits are sold and advertised as products that allow anyone to make money by carrying out phishing attacks, regardless of their skills. This is a popular service for those who want to get involved in cybercrime but lack the necessary knowledge or experience.
What is the stolen personal information used for?
After a victim's information has been stolen, hackers have a number of options for what to do with that information. They can choose to use the information themselves, depending on the type of information involved.
If it is information for a financial account, they can try to steal money by transferring money to themselves. Or if it's login details for a network, they can use that access to launch a ransomware attack.
Personal information can also be resold on the dark web. This allows others to exploit the stolen information and there are potentially many cyber criminals who can use the information.
Some phishing kits are also designed to keep a copy of the information that is collected and send it to the hackers behind the phishing kit. This provides an additional potential revenue stream for the creator of the phishing kit. It also means that credentials are often resold on the dark web, even if the person who stole them did not do so themselves.
Phishing as a service creates more opportunities
PaaS is a major problem because it removes the technical barrier to the execution of phishing. Normally, a cybercriminal needs to understand HTML to create an effective and realistic phishing email.
They also need to understand how to build a website that both looks realistic and can gather information and pass it on to the cybercriminal. If someone buys a phishing kit, they need none of those skills to carry out a successful attack.
Phishing as a service makes the people who are already performingears phishing attacks, more successful. The success of a campaign is often limited by the ability of the perpetrators. If that person pays for a good phishing kit, more people are likely to fall for their attack.
Phishing as a service makes identifying hackers harder
PaaS allows hackers who are good at designing phishing kits to make money without even carrying out phishing attacks. If the person using a phishing kit is caught, the person who delivered the phishing kit will likely avoid prosecution.
Both because they were not directly involved in the attack and because they can sell their kits anonymously and get paid in cryptocurrency, which is very difficult to trace. They can then continue to sell their kits to others.
Who gets hit by a phishing email?
Phishing attacks are carried out against both businesses and individuals. If the target is an individual, their login details for financial and personal accounts may be stolen.
A successful phishing attack against a business can be the start of other cyber attacks. If the hacker steals the login details of a network, customers' private and sensitive information may be stolen or ransomware may be installed.
How to prevent phishing attacks
Although PaaS makes phishing attacks harder to detect as they are more sophisticated, you can still protect yourself from phishing if you pay attention to a number of things.
Check the sender
Phishing emails try to impersonate a legitimate sender, but there will always be slight changes from the real email address. The sender may use email spoofing to appear legitimate, but it is impossible to avoid minor spelling variations such as typos. Therefore, always check the email address in the email.
Check formatting errors
PaaS products often include very realistic email templates, but they can never really be quite as professional or have quite the same formatting as the real thing. Look for errors in both the formatting, logos and language of the email or SMS.
Do not click on links or download attachments
No matter who a sender is, always be careful with links in emails. Hover over the link to see the full URL. You should never download an attachment in an email unless you are sure what it contains and who the sender is.
Be aware of the call to action
Almost all phishing emails ask you to do something. You should be suspicious of any email that asks you to provide information or log into an account. Often the emails also contain time pressure to get you to act immediately.
Businesses need to train their employees
Phishing attacks against businesses are mainly targeted at employees, as they typically receive many emails during a working day and there is not always time to check the emails. To reduce the risk of an employee interacting with a phishing email, all employees need to be trained in IT security with awareness training.
Use anti-phishing software
Software is widely available to detect phishing emails and prevent them from reaching employees' inboxes. Although not an adequate substitute for employee training, this software can reduce the size of the threat faced by employees by blocking some or a proportion of scam emails and spam.
PaaS is a major threat to all
Phishing is a significant threat to both individuals and businesses. It leads to hacker attacks and identity theft of individuals and network intrusions into companies. PaaS amplifies this threat by giving criminals the ability to carry out the damaging attacks regardless of their skill.
The proliferation of phishing as a service not only increases the number of phishing campaigns, but also makes each attack potentially more effective. Although fake emails can often be identified, criminals using a well-developed phishing kit may be able to steal far more personal and confidential information.
About the author
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.