While phishing attacks are typically scattergun approaches and less sophisticated than their more targetted cousins Spear-Phishing and Whaling, there is still an element of technical configuration in setting up high-volume email delivery and a hosted target (website) for victims to visit if they click a link. In addition to the infrastructural setup, modern phishing campaigns also need to be carefully crafted to avoid detection by advanced email scanning services in the cloud from organisations such as Microsoft 365, Mimecast and Symantec. All of these requirements – combined with the need to do this all behind a cloak of anonymity – can be off-putting for criminals and this has created a market for others to provide this as a rentalable service. PHishing-as-a-Service (PHaas) is now putting sophisticated tools in the hands of less-technical criminals, showing that despite improved detection tools, phishing is still a lucrative business and isn’t going anywhere.
For ‘customers’ not wanting to purchase a full service, the operators of the Phishing-as-a-Service platforms appear to be offering multiple different packages which include “one off” purchases of templates as well as fully featured subscription services including weekly, monthly and annual commitments.
This ranging options allow to the operations of the service to demonstrate the effectiveness of their tools/service with minimal risk commitment, demonstrating a commercial maturity alongside their technical abilities.
Unfortunately while technology continues to be developed to thwart phishing campaigns, attackers likewise continue to develop novel techniques to evade these tools and this is proving so lucrative that we are now seeing mature commercial models. This in turn is likely to fuel more research and development by criminals. As ever, along with robust technical filtering, we recommend ensuring staff are trained and tested regularly against common phishing campaign types with the results fed-back to keep them aware and vigilant.