If a task is time consuming or difficult, there is usually someone willing to offer it as a service. That can now be said of phishing. There are a growing number of criminals offering phishing-as-a-service to help wanna-be criminals conduct phishing campaigns.
At the basic level, phishing is a relatively straightforward way of attacking an organization. It is also low cost and requires little in the way of hacking skill. That said, getting started takes some effort. A domain is required to host a phishing web page, the web page must be designed to mirror the site it is mimicking, and login credentials must be captured without detection. Email addresses are required for a spam campaign and emails need to be carefully crafted to fool users into clicking.
With phishing-as-a-service, a phishing kit is offered that has everything required to start a phishing campaign. Website templates can be purchased that are virtual carbon copies of the brands they are spoofing and one month of hosting included in the price.
The hosting also comes with a fail-safe: Two further URLs to use in case the first two get blacklisted, and an offer of more to keep a campaign going. The templates start from $50 to $80, so even money isn’t a barrier to get started. The only thing that isn’t supplied is a carefully crafted email and an email server to send out the phishing emails.
With no skill or upfront work required and only a small financial outlay, it is no surprise that these offerings are popular. Phishing-as-a-service makes it as easy as possible to conduct phishing campaigns to harvest credentials to sell on or use to gain a foothold in an organization’s network. With most of the time and effort involved in conducting a campaign taken care of, more time can be devoted to developing convincing phishing emails that can evade security solutions.
The increase in phishing-as-a-service offerings has been tracked by cloud-security firm Cyren, which published a report on the rise in phishing as a service. “Today’s reality is that we are seeing more evasive phishing campaigns in the hands of more attackers at less effort and lower cost than in the past,” wrote Cyren in its report. “Technically sophisticated phishing attack developers have adopted a SaaS business model to let even the most amateur criminal wanna-be spoof targeted web sites with a high degree of authenticity and embedded evasive tactics.”
As for the extent to which phishing-as-a-service is growing, Cyren has detected 5,334 new and unique phishing kits so far in 2019. Not only are more players getting involved in phishing, emails are bypassing security defenses and are reaching inboxes. Cyren cites an Osterman Research study in 2018 which revealed 44% of organizations had experienced at least one phishing attack in the past year with the figure rising to 54% for businesses using Office 365.