Cybersecurity has always been a matter of concern for organizations and individuals alike. However, the cyber threat landscape has now started to grow with increased valor primarily due to the commercialization of cybercrime.
Long gone are the days when hacking and cybercrime were limited to a numbered few, limiting the number of cyber-attacks occurring each day. The modern threat landscape features hackers and cybercriminals renting out cybercrime services in exchange for money,
The concept of commercializing cybercrime has now been around for a considerable period. It appeared with ransomware-as-a-service, and its new shape in the form of phishing-as-a-service makes the cyber threat landscape a much scarier place.
What is Phishing-as-a-service?
As its name depicts, Phishing-as-a-service or PhaaS is a thriving black market industry of cybercriminals providing phishing services, tools, skills, and techniques needed to carry out phishing attacks. These services are based on the software-as-a-service style model that has revolutionized how work is conducted within the modern virtual times around the globe.
The service model involves companies relying on third-party vendors to conduct business. Similarly, PhaaS features the third party experienced cybercrime “vendors” setting stall over the dark web marketplace and forum selling essentials to phishing attacks such as:
- Phishing toolkits: These are completed toolkits containing all the relevant information and tools needed to conduct a successful small-scale phishing attack.
- Phishing email guides: these are guides helping cybercriminals to compile a relevant phishing email.
- Databases of targets: these are collected databases of well-known brands needed to launch a successful phishing attack against it.
- Email templates of various organizations: these are templates helping cybercriminals design a convincing phishing email.
- Back-end codes: These back-end codes are somewhat of a building block to creating seemingly legitimate phishing websites
The service is available per the vendor’s expertise and the amount of money the buyer is willing to spend. Several PhaaS vendors also offer access to collated open-source intelligence (OSINT), allowing cybercriminals to create convening phishing attacks or back-end codes to make fraudulent, seemingly legitimate web pages of well-reputed brands.
How is PhaaS a concern
Phishing has long since been a concern for organizations and individuals alike. Since these attacks are primarily designed to manipulate a human mind rather than technology, phishing attacks are often highly successful. Their driven success rates make phishing attacks the reason behind 90% of data breaches.
Therefore, with such a highlight successful attack, getting commercialized as a service is a matter of concern. Primarily as, according to research, it is gaining immense popularity. As PhaaS popularity grows, some of the main problems that organizations and cybersecurity professionals have to deal with are:
1. Likely increase in phishing attacks.
The mass availability of phishing attacks in the form of service has likely impacted the number of phishing attacks occurring. The service itself is exceedingly popular over the dark web. Moreover, most phishing kits are available with rates as low as $40. There are also monthly subscription packages for premium services costing $499 upfront with a monthly fee of $199.
These subscriptions allow buyers access to over 20 pre-loaded phishing kits targetting various organizations and financial institutions. Just as SaaS applications enable organizations to avail a service without developing their software, PhaaS also gives cybercriminals the leverage to launch moe phishing attacks in a given without needing many skills. In short, where previously it would have taken one cybercriminal ten days to launch an attack, PhaaS could allow ten cybercriminals to launch a phishing attack in a day.
2. Cybercrime available for the masses
Commercializing things begins with the very motive of spreading a particular product or service to the masses. With PhaaS, phishing is now available to several people online that were otherwise incapable of launching such attacks.
Moreover, since professionals design these attacks, they are far more sophisticated than attacks designed by an amateur cybercriminal. The availability of Phishing-as-a-Service gives anyone with malicious intent the leverage to act by executing such attacks. That could also mean disgruntled ex-employees, ex-business partners, or a competitor.
3. Phishing attacks are becoming dangerously sophisticated.
PhaaS services are facing mass popularity over the dark web marketplaces. Many amateur cybercriminals have flocked to these marketplaces to avail these malicious services. The main reason behind this is that it allows them to launch an attack that otherwise was beyond their skillset. Such commercialization of a service or product also gives rise to competition. While in normal circumstances it might be healthy, it leads to dire consequences with such malicious services.
Such acts mean sophistication in these phishing kits and techniques, resulting in the complexity of phishing attacks. Where previously, there was a chance of pinpointing immaturely created phishing attacks and mitigating them, the sophistication in such attacks will make it challenging to identify and ensure security. With PhaaS gaining popularity, the competition amidst these vendors is likely to grow, with each vendor trying to out best the other just for sales.
How can organizations defend themselves?
Since phishing attacks rely on manipulating humans, the best way to ensure security is to spread awareness. It is now more than ever crucial for organizations to educate their employees on phishing attacks. There should be proper training for employees on how to identify and mitigate these attacks.
Apart from that, organizations need to prepare themselves for the worst-case scenario. That is keeping the likelihood of phishing attacks getting more sophisticated with time. That means organizations must build a proactive incident response plan to prevent them from facing severe damages if they fall victim to a phishing attack.
Another way organizations can protect themselves is through threat hunting and vulnerability assessment. With threat hunting, an organization will have a clear idea of what these phishing kits are capable of, allowing them to build appropriate security systems.
Moreover, since phishing attacks leverage security loopholes within an organization’s security posture, regular vulnerability scanning can enable security. The sooner an organization tries to become aware of its vulnerabilities and patches them, the better it has a chance to remain secure.
As cybercriminals continue to evolve, organizations and individuals alike are now at a much greater risk. The availability of services like PhaaS is evidence of the rapid development of the cyber threat landscape. Commercialization within the cybercriminal world ultimately means that cybercrime is rapidly becoming available for the masses. Therefore, it ultimately is leading to a probable rise in criminal activity.