Phishing is a powerful technique for getting people to reveal information. The attacker sends out an email that appears to be from a legitimate source such as a bank. The victim clicks on that link, attempts to log in to their account, and their login details are stolen.

The success of a phishing campaign is dependent on how realistic it is. This requires a skill set that many cybercriminals don't have and this used to be a significant barrier to entry. But Phishing as a Service is changing that.

So what is Phishing as a Service?

What Is Phishing as a Service?

Illustration of a phishing attack on a laptop screen

Phishing as a Service (PaaS) is part of a trend where cybercriminals are becoming service providers. Rather than carrying out cyberattacks on their own, they are helping others to carry out attacks in exchange for a fee.

It is based on the Software as a Service business model where customers are provided access to software in exchange for a monthly fee.

This provides cybercriminals with a new revenue stream and it allows anyone to carry out more professional attacks.

How Does PaaS Work?

Man spear phishing into a computer.

PaaS vendors advertise their products as phishing kits. They are primarily sold on the dark web but some phishing kits are now available on the surface web (i.e. the regular internet).

A phishing kit includes everything required to launch a successful phishing attack. They include email templates for sending emails which appear to come from legitimate companies, as well as templates for websites to send victims to. Some phishing kits also include lists of potential targets.

Because phishing kits are targeted at those without technical skills, they also often include detailed instructions and customer support.

Phishing kits are advertised as products which allow anyone to make money carrying out phishing attacks regardless of their skill set. This is a popular service for those who want to get involved in cybercrime but lack the necessary knowledge.

What Happens to the Stolen Credentials?

After a victim's credentials have been stolen, there are a number of possibilities. The attacker can use the credentials themselves. If it's a financial account, they can attempt to transfer funds. Or if it's access to a network, they can use that access to launch a ransomware attack.

Credentials can also be resold on the dark web. This allows somebody to profit from stolen credentials even if they don't actually have a use for them.

Some phishing kits are also designed to keep a copy of any credentials stolen and send them to the phishing kit publisher. This provides additional potential revenue for the phishing kit publisher. It also means that credentials are often resold on the dark web even if the person who stole them had other intentions.

Why Is PaaS a Problem?

person having crypto stolen from laptop

PaaS is an issue because it removes the barrier to entry to phishing. Normally, a cybercriminal would need to understand HTML to create an effective email. They would also need to understand how to build a website that both appears realistic and steals passwords. If somebody buys a phishing kit, they don't need these skills to conduct an attack.

PaaS makes people who are already conducting phishing attacks more successful. The success of a campaign is often limited by the perpetrators' abilities. If that person pays for a phishing kit, it's likely that more people will fall for their attacks.

PaaS also makes the prosecution of phishing attacks more difficult.

It allows people who are good at designing phishing kits to profit from the activity without conducting any phishing attacks themselves. If the person using a phishing kit is caught, the person who provided the phishing kit is likely to avoid prosecution. They can then continue to sell to others.

Who Is Targeted by Phishing?

Phishing attacks are carried out against both businesses and private individuals. If a private individual is targeted, the login credentials for their financial and personal accounts can be stolen.

A successful phishing attack on a business can result in other cyberattacks occurring. If the attacker steals the credentials of a network, the private information of customers can be stolen or ransomware can be installed.

How to Avoid Phishing

While PaaS makes phishing attacks more difficult to detect, they can still be avoided if you understand what to look for.

Check the Sender

Phishing emails rely on the recipient not looking at the sender's name properly. The sender may use email spoofing to appear legitimate, but it's impossible to avoid minor spelling variations.

Look for Formatting Errors

PaaS products often include highly realistic emails, but they still aren't as professional as the real thing. Look for errors in both formatting and language used.

Regardless of who the sender is, you should never click on a link in an email. You should also never download an email attachment unless you are certain of what it contains.

Be Wary of Information Requests

All phishing emails ask you to do something. You should be suspicious of any email that asks you to provide information or to log into an account.

Businesses Should Train Employees

Phishing attacks against businesses are primarily targeted towards employees. In order to mitigate this threat, all employees need to be trained accordingly.

Businesses May Use Anti-Phishing Software

Software is widely available to detect phishing emails and prevent them from reaching employee inboxes. While this software is not an adequate alternative to employee training, it can reduce the size of the threat that employees face.

PaaS Makes Phishing a Bigger Threat

Phishing is a significant threat to both private individuals and businesses. It leads to account hacks on individuals and network intrusion in businesses. PaaS adds to this threat by allowing anyone to conduct such attacks regardless of their skill set.

The introduction of PaaS not only increases the rate of phishing but also makes each attack potentially more effective. While phishing emails are often obvious, anyone using a paid for phishing kit may be able to steal far more credentials.