Cybercriminals are having it easy with phishing-as-a-service

In this interview for Help Net Security, Immanuel Chavoya, Threat Detection Expert at SonicWall, talks about phishing-as-a-service (PaaS), the risks it can pose to organization, and what to do to tackle this threat.

Phishing-as-a-service has become a growing threat to organizations. How exactly does this trend work?

Phishing attacks have only grown with the rise of SaaS in the workplace, and even the most security-savvy worker can be duped into a phishing attack.

Phishing-as-a-service is a fairly new phenomenon, this trend is where the cybercriminal actually takes the role of a service provider, carrying out attacks for others instead of just for themselves in exchange for a sum of money. PaaS only serves to show how hackers are becoming better organized and looking for greater monetisation from ransomware.

Instead of threat actors being required to have technical knowledge of building or taking over infrastructure to host a phishing kit (login page emulating known login interfaces like Facebook/Amazon/Netflix/OWA), the barrier to entry is significantly lowered with the introduction of PaaS.

Last year, a large-scale SaaS campaign, marketed by criminals as BulletProofLink was exposed by Microsoft, finding more than 300,000 newly created and unique subdomains. The turnkey platform allowed users to customise campaigns and create their own phishing tactics, providing them with over 100 phishing templates that copied known brand and services guidelines, kits, hosting and other tools.

How does PaaS simplify the work of cybercriminals?

It has resulted in the ability of any threat actor, however, limited by technical skills, to begin a phishing campaign against a targeted organization, for less than $15 a day.

So while in the past, the barrier to entry was slightly harder, but not by much. Back then a threat actor would have to carry out numerous steps such as purchasing the phishing kit, setting up the infrastructure, obtaining the email list, spamming the email list with a link to their credential harvester (or malware dropper), and collecting credentials. This can also be used for follow-up attacks (or for sale as an IAB) PaaS allows actors to get most of this done with a small transaction fee of $400 a month.

What should organizations mostly worry about when PaaS is involved?

Following the pandemic, workforces were massively distributed with the introduction of hybrid, widening a business’s security surface. This has created a lush ground for cyber criminals to carry out a range of attacks, the most common being phishing.

A recent survey looking at businesses’ biggest cyber concerns ranked phishing attacks at the top, with several phishing campaigns identified, designed to trick busy or distracted employees. Organizations that have enabled multi-factor authentication (MFA) and called it a day may have risks involved in the new PaaS campaigns, now that threat actors are beginning to formalize.

However, a lower-skilled actor can purchase a phishing service such as EvilProxy, for instance, and bypass MFA controls in place using a reverse proxy to harvest valid cookies from the user connecting through an evil proxy phishing site. This then allows the attacker to bypass the need for authentication with username/password or MFA tokens.

How can organizations tackle this threat?

Phishing-as-a-service can be very advanced, with capabilities spanning from detecting sandbox environments, to fingerprinting user agents in order to determine whether you might be a researchers bot. That being said, Web Content Filters can often limit the exposure of users. For instance, if your email security solution doesn’t detect a PaaS threat, and your user clicks on a link, if you have a defence-in-depth methodology in place, you may have a web content filter that is capable of monitoring the applications and DNS traffic. This limits access to ‘newly registered’ domains, or domains with a bad repudiation, which can be helpful in a layered defence against PaaS.

How can it affect individuals and what can they do to protect themselves?

Beware of authentication fatigue! As cloud platforms overtake programmes installed on devices, two-factor authentication has become much more common for businesses to install a secure mindset. This is where phishing can thrive. Phishing scams rely on muscle memory developed during repeated daily logins to steal credentials.

Many of the HTML phishing scams observed over the last year revolve around launching a login form, prefilled with the worker’s email address. All one must do is enter their password without hesitancy, letting cybercriminals in. The bad actor then sends the password to the malware-hosted remote server and the user is redirected to a legitimate website. Alongside specific detection methods, employees and businesses need greater education on how these phishing threats work and what habits or weaknesses they rely on, both across the business and at the individual level.