The growth of Phishing-as-a-Service and what it means for cybersecurity
June 2022 by Paulo Henriques, Head of Cyber Security Operations
According to a recent study by the Reuters Institute, over a third of Brits are turning away from staying up to date on the news, largely thanks to the glut of bad news we have all been faced with. COVID-19 and the economy continue to draw plenty of attention, but another topic consistently generating negative headlines is cybersecurity.
And rightly so. For those working in the sector, the fact that our data and IT systems are under constant threat from a barrage of cyber-attacks, with nation states in particular probing at every chance they get to find a gap in our security posture, comes as no surprise.
Phishing campaigns remain one of the biggest drivers of headlines, and principal causes for cyber-attacks. They’re emotive because they typically prey on those that are unaware of the inherent risks of the cyber space, as well as corporate users haphazardly sorting through emails in a rush to catch up with the day’s work. And they’re clever too; cyber criminals are masters of mental manipulation and look to use our natural impulses and patterns of thought to catch us out. As a result, human error is – and will continue to remain - one of the most common causes of successful cyber-attacks.
That reality explains why phishing remains such a popular attack method. Recent research suggests that there was a 400% rise in phishing attacks in 2021 across critical industries and individuals globally, it’s likely these numbers will continue to remain high for some time.
But a relatively new development in the phishing world is Phishing-as-a-Service (PaaS), which now plays a key role in this increase. So let me explain what this novel practice entails.
An introduction to Phishing-as-a-Service
Phishing-as-a-Service can infer a couple of different meanings, and it’s important to differentiate between them.
On the one hand, it’s used by various security vendors to offer a white hat service for customers. This involves performing regular phishing test exercises and is designed to help them better evaluate their security awareness posture and identify areas requiring further employee training.
On the other, PaaS has become synonymous with the dark web as a vehicle for nefarious activities. That’s because it’s quickly lowering the financial and technical barriers that previously stopped many cyber criminals from deploying phishing to their advantage. Now, it is becoming possible for bad actors to purchase all of the tools needed to execute a phishing attack. These ‘kits’ are typically put together by more experienced, organised cyber gangs, who are making cyber-attacks increasingly accessible to new entrants in the game and include everything from malware to potential targets’ email addresses.
Phishing-as-a-Service at its worst
At its worst, PaaS makes it easier for cyber criminals to steal information and deploy intrusive software that can secure access into corporate networks. Add that on top of the many open-source tools that already exist and can be easily accessed, used and built upon to help carry out attacks, and you have yourself a dangerous cocktail.
Most of us by now are familiar with Software-as-a-Service (SaaS) and its benefits to business, including its ability to save organisations from having to spend time building their own software. Another is that the software is often delivered at a much higher standard, meaning businesses don’t have to worry about errors in code and getting them corrected. PaaS offers the same advantages for cyber criminals; bad actors can launch multiple attacks in a shorter period of time, enjoy a higher success rate, and do so at a reduced cost.
Defence against phishing campaigns
Thanks to Phishing-as-a-Service, it’s becoming alarmingly easy to build an effective phishing campaign, meaning multi-layered solutions that can detect and mitigate phishing attempts are an absolute must.
Email filtering should always be the first layer, with regular cyber training that alters behaviour, improves knowledge, and increases retention forming another. But given human error is almost impossible to eradicate, endpoint detection and response (EDR) must also be part of the equation to combat phishing, because it detects and prevents malicious activity automatically, with limited human input. You simply have to use all three – email filtering, training and endpoint detection – in tandem; picking and choosing won’t suffice.
Cyber criminals are working together; security measures need to as well
Experienced bad actors are realising they can use their cyber skills not only to launch attacks, but to earn extra cash teaching and providing the tools for other, less skilled criminals to do the same. With this creating a highly complex threat landscape, no one solution is enough to keep the bad actors out; as they increasingly work together, our security measures must do the same.
Managing this complexity isn’t easy and is a task that many businesses don’t have the capacity for, especially amidst a widening talent shortage. Engaging a security partner that can help you deliver round the clock security measures is vital because after all, cyber criminals never sleep.