phishing as a service / phaas

Phishing attacks are about to get much worse with the spread of the oddly named PhaaS, which stands for Phishing-as-a-Service. Phishing usually relies on social engineering tactics or tonnage, where the threat actor sends out masses of emails in the hopes of luring someone into taking the bait. PhaaS offers subscription-based software that includes an archive of cloned websites, email lists and proxy servers that can circumvent multi-factor authentication. These features make phishing rackets much easier and cheaper to operate.

How it works

PhaaS operators typically advertise their services on dark web forums, offering tutorials, technical assistance and documentation. 

“Our phishing simulations are supported by an in-house developed software platform. In particular, our backend application offers the full set of functionalities required to conduct phishing campaigns,” EvilProxy advertised on a hacking forum. 

PhaaS operations are run like any other retail software business, incentivizing subscriptions with discounts, providing free trial periods, and in at least one instance, a Black Friday deal. Price structures vary, but they typically range between $40 and $400 per month, depending on the software and its features.

In the case of EvilProxy, customers have a selection of cloned login pages that can be used to capture a target’s credentials. Google, Microsoft, GitHub, Instagram, Apple, Dropbox, Twitter and other accounts are available. Reverse proxies, make it possible to send and receive 2-factor authentication codes from legitimate websites, removing that layer of protection from targeted accounts.

A win-win for cybercriminals

PhaaS is a major escalation of the phishing threat posed to consumers since it lowers the barrier to entry for launching phishing campaigns to criminals with no technical skills.

How to protect yourself from PhaaS

  • Training: Organizations need to invest in training employees to recognize potentially suspicious emails and to double-check incoming messages as well as the login pages for common websites before providing credentials. Password hygiene is also essential [link].
  • Security software: Firewalls and anti-malware programs aren’t silver bullets, but they can help block malicious emails from enployee inboxes if kept up-to-date.
  • Implement DMARC: Domain-based Message Authentication, Reporting & Conformance, or DMARC is a form of email authentication designed to prevent spoofing emails and spam.