Phishing as a Service (PHaaS) – an Effective Attack Vector for All Threat Actors

Conscia ThreatInsights

Phishing has professionalized. It is literally available to criminals in a »as a service« model, and the most effective examples are extremely convincing. And therefore dangerous. What can you as a business do to not fall prey to the next generation of phishing attacks?

From Phishing to Phishing as a Service (PHaaS)

Mid-size businesses lose an average of $1.6M USD if they fall prey to spear phishing. Year-over-year, phishing attacks in 2021 rose for overall 20% (source). In principle, phishing is a very simple tactic. It is a form of social engineering where a criminal sends a deceptive message designed to trick a person into revealing sensitive information or installing malicious software. It allows an attacker to perform ransomware infections, deploy malware, engage in credential harvesting, and gain access to targeted networks. Phishing is effective because it exploits the human factor.

“The best” examples of phishing attempts can be extremely difficult to recognize and are very convincing. In addition, modern technology allows cybercriminals to quickly adjust and improve their tactics to increase the chances that a victim will open a phishing message containing a malicious file or link. A typical test-and-improve approach. Phishing is especially effective in supply chain scenarios, where a believable email (or already compromised one) is crafted impersonating a supply chain partner. Afterward, there is a potential to perform lateral movement to harm systems outside of the initial attack vector.

Rise of the Phishing as a Service

While phishing is a common attack vector, advanced phishing techniques also require technical skills. That is why some of the threat actors have started to exclusively focus on developing phishing kits, which they then sell to cybercriminals on Dark Web. They develop high-quality phishing pages that impersonate websites of legitimate organizations, with some that can bypass 2FA. They offer very good integration with their Administration Panels to handle large-volume campaigns and more. In its most advanced form, the Phishing as a Service (PHaaS) model, the offering also includes technical support and regular customer updates. This has lowered the barrier to entry for cybercriminals, because, in the PHaaS model, they need very little technical resources in order to deploy phishing attacks.

The core of PHaaS model are good phishing kits. One of the most popular phishing kits used by cybercriminals is Modlishka.  Modlishka is an open-source penetration testing tool that automates phishing attacks and is capable of bypassing 2FA for accounts protected by it. Phishing victims connect to the Modlishka server, and the reverse proxy component behind it makes requests to the website it wants to impersonate. The victim receives authentic content from the legitimate website, but all traffic and all the victim’s interactions with the legitimate website pass through and are recorded on the Modlishka server. Once a victim connects through the server, any credentials that a user may enter are automatically logged in the Modlishka back-end panel. The tool was created by Polish researcher Piotr Duszyński.

Modlishka is just an example of a free and open-source tool that has a phishing kit integrated into it and is available to all. However, true PHaaS additionally offers customer support and regular product updates, which make them more attractive for less technical cybercriminals or the ones who want to launch and manage large phishing campaigns. In the last year, dark web cybercriminals launched several new phishing kits or significantly modified existing versions of the phishing malware to target victims more effectively.

How to fight off phishing attacks?

At Conscia CyberDefense we are convinced that phishing will remain one of the most popular attack vectors for gaining initial access or performing initial infection. Cybercriminals are likely to continue to use phishing as long as it remains a successful way to gain unauthorized access to users and corporate accounts. And a source of profits from selling the stolen data. PHaaS model gives this option to cybercriminals as it enables them quick and easy deployment of campaigns that they can eventually monetize.

To protect your business against phishing, you can deploy various defense tactics. Below you can find some of our recommendations that can help detect and stop phishing and web inject attacks:

  • Redesign the login web page for an application so that it includes a watermark that is client-specific or changes based on the time. Inform clients that if they do not see the image or watermark, it is not an authentic login web page for that app.
  • Perform periodic, environmental, file-based scans (for example, using YARA) to identify malware since web injects are often carried out by additional malware families.
  • Use only HTTPS connection on the internet and ensure that the SSL/TLS certificate of a website is legitimate before submitting sensitive data to it.
  • Keep all software and applications up to date
  • Use multi-factor authentication (MFA) if possible and move toward hardware-based authentication with Fast ID Online (FIDO)-compliant hardware.
  • Deploy an email spam filter that detects viruses, blank senders, and so on, and deploy a web filter to block malicious websites.
  • Use cyber threat intelligence (CTI) to look for typosquats in your brands
  • Educate employees and perform regular user awareness training on phishing and other popular attack vectors.
  • Use CTI to look for current, old, and new login pages that may be created.

Phishing as a Service will continue to pose a threat to organizations and individuals until they start to employ required cybersecurity hygiene (e.g., strong passwords, MFA, …) and especially security awareness training, which would result in unprofitable campaigns for threat actors.

How can NIL, part of Conscia, help?

At Conscia, we offer Security Awareness Training that is known for its speed of deployment, actionable feedback, and effectiveness. To improve your cyber resilience and combat phishing, reach out to us for more information.

To keep in touch with the latest cyber threats and trends, be sure to sign up for our weekly ThreatInsights Newsletter.