The rise of phishing as a service (PhaaS) and how to tackle it

Graphic representing phishing with a hacker stealing data from one computer to anotheri
(Image credit: Shutterstock)

Cyber security should always be a critical consideration for c-suite investment, but with new threats including phishing as a service (PhaaS) increasing in popularity, experts are now warning companies to check their defences are solid.

According to cloud security company Zscaler, 2021 saw a 29% rise in phishing attacks, driven – it believes, in part – by PhaaS. Across retail and wholesale, a 400% increase in phishing attacks was observed over the last 12 months, while financial and governmental sectors saw a more-than 100% increase.

PhaaS is becoming a key cog in the cyber crime landscape, meaning businesses need to know how it manifests, and how to avoid falling victim to attacks.

What is Phaas?

PhaaS puts pre-built attack tools up for sale in underground marketplaces online, making it easier for non-sophisticated actors to launch successful attacks.

Such low barriers to entry mean even those with very limited technical knowledge can use fake emails or web pages to steal personal or corporate information or gain access to secure systems by tricking people into revealing their passwords.

The growing availability of these plug-and-play phishing tools and services on the dark web follows an increase in ransomware as a service tools also being offered. Some of those gangs now have hundreds of members.

This could be one reason why a survey by Datasite of 200 senior dealmakers found cyber security is now the top M&A investment opportunity for 2022 in the technology, internet and media, and telecom market. Gaining such internal protection capacity was most popular among UK law firms and investment banks.

The growth in PhaaS is certainly worrying leading UK experts. Steven Furnell, a senior member of IEEE and professor of cyber security at the University of Nottingham, suggests it could create “a new generation of cyber criminals who previously would not have had the means or capability to get involved”.

Furnell suggests companies stay vigilant as the problem increases in scale and severity. “It is essentially transforming criminals into cyber criminals without them necessarily needing to understand the cyber element,” he says.

What do PhaaS operators offer clients?

In September 2021, Microsoft acknowledged a large PhaaS offering called BulletProofLink, which offered everything from phishing templates to cloud-based hosting infrastructures and technical support. Dutch police were also investigating another group known as the Fraud Family last year.

Prices for PhaaS range from just a few dollars to hundreds of dollars, with some providers even offering a guarantee of success. Others do discounts in sales or on Black Friday, and many promise they can get around any type of two-factor authentication (2FA).

It’s believed some PhaaS products might have been created from open source code used legitimately to test for weaknesses. Those distributing such tools have also been sighted creating video tutorials for customers to watch, and dashboards from which they can see how attacks are progressing in real-time.

Which businesses does PhaaS target?

One concerned expert is Andrew Rose, CISO at Proofpoint, and formerly head of security at the UK’s National Air Traffic Control Services (NATS). Proofpoint’s new 2022 State of the Phish report revealed a staggering 91% of UK organisations were successfully compromised by a phishing attack in 2021.

“Phishing not only affects consumers or individuals but can also be the foothold a threat actor needs to get around the hardened corporate perimeter to steal data and drop further payloads, including information stealers and ransomware,” Rose says.

“It’s critical to understand which users are most targeted and which of them are the likeliest to fall for the social engineering that phishing attacks rely on. Users are a critical line of defence against phishing, and it’s important security awareness education provides a foundation to ensure everyone can identify a phishing email and easily report it.”

The people part of the puzzle is one level in a multi-factored approach that companies should be considering – which includes defences at the email gateway, in the cloud, and at the endpoint, as well as having email authorisation protocols and network segmentation.


The Total Economic Impact™ of Mimecast

Cost savings and business benefits enabled by using Mimecast with Microsoft 365


Julia O’Toole, CEO at MyCena Security Solutions, explains how malicious actors are using PhaaS to target a range of sectors, including governments, brands, social media, banking, retail, and telecom. The tools bought might also include email databases, domain reputation management, and fake sign-in pages.

With PhaaS offering an opportunity to cheaply capture tens of thousands of stolen credentials every month, O’Toole says distributing strong unique encrypted passwords to employees for every system is a necessary counter.

She explains: “As passwords remain encrypted from creation, distribution, storage, and use to expiry – and people don’t know their passwords – organisations are protected from the risks of human error, password fraud, and password phishing.

“This is particularly important for critical infrastructure as it prevents malicious first access to controllers where alteration could endanger people, production, or the environment.”

Cracking down on PhaaS providers

One major worry around PhaaS is that it might leave companies open to attacks from disgruntled ex-employees; those who didn’t originally work in technical roles.

Zero trust architecture is another way forward but John Davis, director UK & Ireland, at SANS Institute, EMEA, suggests combatting any rise in phishing relies on “boosting awareness and defensive training” while ensuring employees remain sceptical of any messages they receive.

“Ultimately, the dark web is very hard to police, which means tracking down and stopping shadowy vendors will prove tricky,” he says. “Organisations can’t rely on crackdowns for PhaaS vendors. Instead, the best play is to expect the worst scenario of spikes in phishing attacks by shoring up cyber defences. Cyber security needs to be a constant daily practice for everyone.”


The state of brand protection 2021

A new front opens up in the war for brand safety


Avishai Avivi, CISO at SafeBreach, does offer one glimmer of hope. “By having a centralised platform,” he says, “companies like Microsoft, Google, and Amazon in collaboration with the government can work to shut these platforms down and potentially bring the malicious actors operating them to justice. It also allows email security vendors to provide controls to stop phishing attacks originating from these PhaaS platforms.”

However, given the growing fear that PhaaS will encourage more spear phishing on professional platforms such as LinkedIn, people remain a weak link, no matter what technology defences have been deployed. This leads Avivi to offer a potential solution. “No attack could succeed if the human being targeted does not fall for it,” he adds. “The person does not have to take the bait.”

Jonathan Weinberg is a freelance journalist and writer who specialises in technology and business, with a particular interest in the social and economic impact on the future of work and wider society. His passion is for telling stories that show how technology and digital improves our lives for the better, while keeping one eye on the emerging security and privacy dangers. A former national newspaper technology, gadgets and gaming editor for a decade, Jonathan has been bylined in national, consumer and trade publications across print and online, in the UK and the US.