Phishing-as-a-service (PhaaS) occurs when cybercriminals sell access to all the things you’ll need to instigate a phishing attack in the black market typically found on the Dark Web. The business model follows the legitimate software-as-a-service (SaaS) model. Companies offer users access to their specially crafted solutions for a subscription fee instead of purchasing a license to install the program on their computers.

PhaaS has made it easy even for cybercriminal newbies to launch phishing campaigns even if they can’t code.

Other interesting terms…

Read More about “Phishing-as-a-Service

PhaaS has made phishing an even more significant threat to organizations and individuals worldwide, as it vastly increased the number of potential threat actors.

What Gave Rise to Phishing-as-a-Service?

More experienced cybercriminals likely gave birth to PhaaS to continue earning money from their technical skills with fewer chances of getting caught since they don’t actually phish victims. Instead, they just sell the tools actual phishers can use for their campaigns. They do the peddling on the Dark Web where they can remain anonymous lessens risks even more.

What Tools Are Usually Included in Phishing-as-a-Service Packages?

PhaaS sellers typically offer the following:

  • Well-crafted phishing emails, complete with the spoofed brand’s logo, socially engineered content (convincing lure to get the victim to the phishing page), and even email addresses
  • Professionally made phishing pages with the mimicked brand’s logo and login page content, even site hosting
  • Command-and-control (C&C) server access where they can store and retrieve the stolen credentials (username-and-password combinations) from
  • Tutorials on how to launch a phishing attack
  • Customer support in case the novice phishers suffer technical difficulties
  • List of potential phishing targets

Some PhaaS providers not only sell phishing kits for newbies that want to DIY but also offer end-to-end services, meaning they’ll design and implement your campaign and just send you the phished credentials via email or ICQ chat. That kind of package, of course, comes at a premium.

How Much Do Cybercriminals Typically Charge for Phishing-as-a-Service?

PhaaS subscriptions cost between US$50 and US$80 a month as of 2019. A Cyren study discovered 5,334 phishing-related products for sale in the first half of the year alone.

Microsoft investigated PhaaS provider BulletProofLink in 2021 and found that it:

  • Provided unique services to what it calls “dedicated spammers” according to its About Us page
  • Maintained multiple sites under aliases, such as BulletProftLink, BulletProofLink, and Anthrax on YouTube and Vimeo
  • Had instructional ads and promotional materials on various underground forums and other sites
  • Posted ICQ chat logs with customers, much like testimonials on legitimate SaaS providers’ sites
  • Had an online store that required membership to access
  • Gave a 10% discount to new customers for their first orders
  • Offered hosting and support for as much as US$800 a month, including logs containing phished credentials, in case subscribers want the entire package and don’t have to run the campaigns on their own

Who Is at Risk of Becoming a Phishing-as-a-Service Victim?

Anyone who banks and purchases goods and services online can suffer from a PhaaS-enabled attack. So long as you have credentials to steal, especially those tied to financial accounts, you’re at risk of PhaaS.

How Can You Avoid Becoming a Phishing-as-a-Service Victim?

While organizations and individuals can’t do anything to stop PhaaS, they can avoid becoming a victim by:

  • Investing in security awareness training to spot malicious emails
  • Employ a zero-trust approach to email filtering, meaning block all messages coming from unknown senders
  • Use solutions that combine machine learning (ML) and natural language processing (NLP) technologies to detect malicious emails by blocking messages that contain spammy words
  • Use applications that specifically scan emails for malicious embedded links
  • Train every computer user to scrutinize links, making sure these aren’t spoofing those that belong to legitimate companies
  • Employ phishing simulations in cybersecurity training sessions so users will know what to look out for
  • Set up anti-phishing security policies and strictly enforce these
  • Adhere to all the best practices against phishing

PhaaS, unfortunately, is here to stay so long as it proves profitable for operators. And while typical organizations and individuals can’t thwart it, they can take simple steps to avoid becoming victims.