Newest Trend in Cybercrime: Phishing as a Service

Subscription as a Service (Saas) businesses have been around for decades but have grown massively in recent years with giants like Netflix, Spotify, and Dropbox taking centre stage. The business model is simple: consumers gain access to a service or software for a monthly or annual fee. With so much widespread success and opportunity in the market, SaaS has also made it’s way into unregulated industries of cybercrime on the dark web with the creation of Phishing as a Service (Paas).  

PaaS works just like its counterparts, by offering phishing tool packs to aspiring and established hackers for as little as $50 a month. This lowers the barrier to entry for individuals to get involved in cybercrime with step-by-step instructions and premade templates for immediate use. These kits are also designed to be successful, so the chances of a successful phishing attack are much higher than before.  

Rather than spending hours writing code, designing specific campaigns, and creating malicious links, hackers have these assets at their fingertips. This leaves them more time to create more sophisticated scams that may be easier to spot, as well as increase the number of campaigns that are run at one time.  

Cyren’s research lab found over 5,000 new, unique phishing kits on the dark web in the first half of 2019. Most plans include HTML character encoding, content encryption, inspection blocking, URLs in attachments, content injection, legitimate cloud hosting. 

Fake Microsoft 365 pages designed to steal credentials (source: Cyren) 

Along with the PaaS community thriving on the darknet, hackers can also purchase personal information that was sourced by data scraping and recent breaches. Therefore, a hacker can essentially buy a how-to-kit for phishing as well as a list of targets all at once. Whereas this whole process would have taken much longer before the rise of this business model on the darknet.  

With phishing becoming more common, unique, and sophisticated, it’s more important now than ever to ensure your business is properly protected. At Lucidica, we recommend malware protection, encrypting your data, using a secure network, SSL certificates, and employee education to avoid cyberattacks. Check out one of our earlier blogs that discusses How to protect your SME from Cyber Attacks in more detail.  

We can even send a test phishing email to everyone in your business to see how many individuals who would have unknowingly engaged with the scam. This is a great way to get a pulse on your team’s understanding of phishing while also educating everyone at the same time.  

When it comes to your business’ security, prevention is the best strategy for success. And while it may seem exhausting and daunting to leave no stone unturned, your friends at Lucidica are here to slay those darknet dragons. That time saved leaves you to work on and grow your business, with peace of mind knowing you are properly protected.