Phishing banner
Risk & Fraud

Phishing-as-a-Service

By: Gene Fredriksen, Security Strategy Consultant

Historically, becoming a successful hacker had barriers to entry, which for many years helped in the battle against cyber attackers. Not only would hackers need the knowledge and abilities to design their attacks from scratch, they would also have to make substantial investments in computers and equipment to carry out their attacks. Those factors used to be a deterrent and helped limit the number of bad actors out there.

However, we are now seeing a disturbing trend where hackers offer their services or sell their tools. Of all the “hacker-as-a-service” offerings, one of the most critical is “Phishing-as-a-Service.” With just a credit card or cryptocurrency, now anyone can commit a cybercrime; all they need to know is where to look and decide how much they want to pay.

What is PhaaS?

Phishing-as-a-Service, or PhaaS, is a business where knowledgeable hackers charge a fee for access to the resources and know-how needed to launch a successful phishing assault. Because they are only selling software and not attacking anyone themselves, they are living in a gray area of legality.

Cybercriminals use dark web forums to sell “phishing kits,” toolkits that contain all the components needed to launch an email assault, including curated databases of targets and branded email templates. Some vendors are more specialized, offering to consult about how to build compelling attacks. They may also provide the back-end code required to construct fake websites that imitate well-known vendor sites to gather credentials.

PhaaS is becoming popular because it gives its customers simple access to sophisticated phishing attacks. It also provides hackers another revenue stream with substantially less risk of arrest. Additionally, their customers don’t need much money, since kit prices start around $40. Some merchants have even started promoting their phishing kits on the open internet, making them available to anyone who doesn’t know how to reach the dark web.

The Danger of PhaaS 

Many organizations face challenges because of the growth of PhaaS. Phishing is already a significant security risk. Research from IBM in 2021 confirmed a two percentage-point rise in phishing attacks between 2019 and 2020, partly driven by COVID-19 and supply chain uncertainty. CISCO’s 2021 Cybersecurity Threat Trends report suggests that at least one person clicked a phishing link in around 86% of organizations. CISCO’s data suggests that phishing accounts for around 90% of data breaches. The issue will only worsen when phishing kits become commodities.

By decreasing the entrance hurdles, PhaaS has inspired a new generation of cybercriminals to try their hand at phishing, and the return on investment for them is enormous. PhaaS has increased the profitability of phishing because it saves time for hackers who would otherwise have to create fake websites or emails to gather login passwords and payment information. To launch an attack, all they have to do is download a kit from a PhaaS vendor and follow the instructions. Attack ideas are formed and fulfilled quickly.

How Can Organizations Defend Against PhaaS?

As long as PhaaS is profitable, it will grow in popularity. While there is not much we can do to shut down the market sites, we can take precautions to better defend ourselves against the volume and sophistication of assaults created by PhaaS.

Security awareness training is critical to assist staff in identifying phishing emails. Work in tandem with employees to raise awareness and aid them in spotting the telltale indicators of phishing. This will enhance employees’ resistance to attacks. Proper cybersecurity solutions can detect the most sophisticated attacks, and, when coupled with existing security training programs, can help ensure that employees are the first line of defense for the company against this upcoming wave of PhaaS hackers. Having educated users, up-to-date technology and appropriate policies and procedures will help organizations defend against these increasingly sophisticated phishing assaults.

Gene Fredriksen is a co-founder and current executive director of the National Credit Union ISAO and the principal cybersecurity consultant with PureIT CUSO. He has previously held the positions of CISO for PSCU, Global CISO for Tyco International, principal consultant for security and risk management strategies for Burton Group, vice president of technology risk management and chief security officer for Raymond James Financial, and information security manager for American Family Insurance.

Fredriksen served as the chair of the security and risk assessment steering committee for BITS, and also served on the R&D committee for the financial services sector steering committee of the Department of Homeland Security. He also served as an advisor on various cybersecurity steering committees for the administrations of George W. Bush, Bill Clinton and Donald Trump, assisting in the preparation of the president’s Cybersecurity Position Paper.