The barrier to entry for a career as a cybercriminal has dropped significantly over recent years. No “hacking” or even basic programming experience is needed for a bad actor to create a lucrative career. One need not even speak the language of their victims to steal their victim’s money. Phishing-as-a-Service, or PhaaS, is the platform that makes this possible.
As you know, phishing is a means of coercing a targeted victim into doing something they shouldn’t do, usually under an urgent, but false pretense. Typically, this is an email convincing the individual to click a link, open an attachment, or go to a website to provide information or make a payment. Increasingly, smishing is becoming more popular. Smishing is phishing through SMS (text messaging) instead of email.
In the past, these phishing/smishing messages were somewhat easy to spot. Bad grammar, misspellings, and other indicators could tip-off most people that the message could be fraudulent. With the help of AI, however, bad actors have been able to create more convincing messages with less skill, making their targets more likely to respond.
How It Works
For now, let’s ignore the phishing emails that deliver ransomware, spyware and other malware. Instead let’s focus on the ones that steal credentials. These will ask you to sign in to one of your online accounts. Whether Microsoft 365, Gmail, your bank, social media or another work or personal account, they provide a convincing reason to “click here” to sign in. Clicking their link will bring you to a page that looks like the legitimate site, but it’s a fake. It’s designed to get you to enter your sign-in credentials. Once you do, you are forwarded to the actual website, unaware that the bad actor has just stolen the credentials you entered. This is known as an Adversary-in-the-Middle or AiTM attack.
You may think multifactor authentication will save you, but it won’t. These services are designed to circumvent MFA protection in all but a few cases.
It may seem like a lot of work for a bad actor to create and send these phishing emails and create a website for capturing your credentials. Not anymore. All they need is a Phishing as a Service subscription or Phishing Kit. For a few hundred dollars a month a bad actor can subscribe to such a service. With services like Darcula [sic], Tycoon 2FA or FishXProxy, for instance, they simply enter the URL of the site they want to emulate or choose one of many popular pre-made sites. The service does the rest. It will create a fraudulent copy of the legitimate website to capture credentials. The service will then create and send realistic-looking phishing emails or smishing texts. No technical experience needed.
With the bar lowered this far, bad actors who couldn’t make it as a third-rate hacker can now easily make a comfortable living using these services. Hence the significant recent increase.
What You Can Do
The best defense is what you already know: avoid clicking links provided in emails and texts. If an email or text says you need to sign into your portal for something, sign in the way you normally do. Don’t click the link supplied in the email or text.
On a technical front, one thing that can stop these attacks is a special type of MFA that uses FIDO2/WebAuthn. The end-user would need a biometric device or FIDO2 device that supports WebAuthn. Most modern computers and smartphones with facial recognition or fingerprint scanners support this. However, the web portals requesting MFA would also need to be WebAuthn capable. That makes this difficult, since many are not.
Conditional access policies that restrict access only to users with specific IP addresses would also block these attacks. This would be part of a Zero Trust Network Access strategy. But again, web portals would need to support this.
Anti-spam and anti-phishing services may be able to block some of the emails, but don’t count on it. With AI these emails are getting harder to catch.
So again, be wary of every email and text that you get and don’t be quick to click.
