Cybersecurity blog header

Phishing as a Service: Kits to steal money and data from companies

Phishing as a Service allows criminals without knowledge or resources to launch sophisticated attacks against companies

Phishing as a Service platforms provide the infrastructure to launch social engineering campaigns against companies and citizens

Not only malware or denial-of-service attacks can be packaged. Phishing as a Service platforms operating on the Dark Web provide comprehensive social engineering attacks for thousands of malicious actors without the knowledge and resources to launch phishing campaigns against customers of banks, payment platforms, technology companies or retail companies.

At the end of February 2024, it became public that LabHost, a Phishing as a Service platform with a long criminal history, allowed multiple attacks to be launched against bank customers in Canada and the United States to trick them and obtain the credentials to access their online accounts. The malicious actors could choose between three types of tariffs that included different functionalities and allowed them to attack different banks.

This case is just the latest example of a growing criminal model that practically automates quite sophisticated social engineering attacks to attack companies, professionals and citizens and steal money and/or information from them.

1. What exactly does Phishing as a Service consist of?

A group of criminals designs a technological infrastructure to market kits or subscriptions to their affiliate program, which allows phishing campaigns to be launched almost automatically.

In such a way that anyone who purchases a kit or subscribes to the affiliate program can launch an attack in a couple of clicks without having to:

  • Know about programming to create phishing pages.
  • Have knowledge of social engineering.
  • Have your servers host the malicious domains.
  • Have tools to monitor the evolution of an attack.
  • Being able to overcome double authentication systems to access bank accounts, platforms or, paradoxically, Software as a Service.

In return, criminal groups make substantial financial gains by quickly and continuously monetizing the techniques, tactics and procedures they have developed and implemented.

To do so, they market their services through the Dark Web and in forums accessible from the Internet or groups in applications such as Telegram.

These criminal groups design and implement aggressive marketing strategies to attract customers, including launching special promotions for Black Friday, a vital time of the year for cyberattacks against e-commerce and its customers.

The data speaks for itself. 16shop, a Phishing as a Service platform recently dismantled by Interpol, had 70,000 customers in more than 40 countries.

2. What do Phishing as a Service kits include?

One of the most curious aspects of Phishing as a Service platforms is that they offer packages for carrying out attacks against specific companies. For example, 16shop marketed kits to impersonate Apple, Amazon, PayPal, American Express or Cash App. Each kit was priced differently, depending on the potential gains from an attack. Thus, the kit for attacking American Express customers was worth twice as much as the one for Amazon. What do the kits include?

  • Phishing pages that mimic the aesthetics of real websites to log in and access a private account. For example, the online bank account of a citizen or a company. In the case of 16shop, more than 150,000 domains were created.
  • Own servers to host the websites.
  • The email address or telephone number of potential victims. These have been accessed through previous attacks, such as ransomware campaigns.
  • Templates with messages should be used so that the emails are well written and have an aesthetic appearance consistent with the communications of the companies whose identity is impersonated and credible.
  • A dashboard to monitor the progression of a phishing campaign in real-time.
  • Once the attack is successfully completed, the malicious actors who have contracted Phishing as a Service receive the credentials to gain access to the accounts of the users who have fallen into the trap. Thus, they can carry out financial fraud or view all kinds of information.

Phishing as a Service is a dangerous cybersecurity trend that threatens corporate data and money

3. Targets and objectives of criminals using Phishing as a Service

Malicious actors who launch social engineering campaigns using Phishing as a Service target three main actors:

  • The direct victims of the attacks who provide their credentials expose themselves to financial fraud, information theft or hijacking, data exfiltration, etc.
  • The companies whose identity is impersonated and whose customers unknowingly hand over their passwords to access their personal or corporate accounts.
  • The companies for which the professionals who provide access credentials to corporate accounts and services work. For example, in fraud against the tourism sector, malicious actors seek the hotel booking platform access credentials of hotel and travel agency employees to commit fraud against their customers.

What are the objectives of criminals who hire Phishing as a Service packages?

  1. To obtain direct financial gain by accessing the bank accounts of citizens and businesses.
  2. To obtain confidential information about individuals and businesses to:
    1. Extort them.
    2. Leak it and damage the reputation of a company or person.
    3. Use it to carry out more complex cyberattacks against companies.
    4. Use financial and personal data to impersonate individuals and obtain credit in their name.
    5. Sell critical information to the attacked company’s competitors. For example, documents related to intellectual property.
    6. Market it through the Dark Web for other malicious actors to carry out new attacks.
    7. Damage the reputation of the companies that own the cloud services and applications, which criminals illegitimately access.

4. Banks, Fintech, cryptocurrencies: Hunting the Money

The recent LabHost case again shows that criminals, in general, and those using social engineering techniques, are targeting the financial sector.

Therefore, it should come as no surprise that most Phishing as a Service platforms offer packages for attacks against bank customers and users of payment platforms such as PayPal and cryptocurrency investors.

After all, many malicious actors do not want to execute more complex and ambitious attacks. Still, their goal is to get money in the shortest possible time, which involves access to financial accounts or cryptocurrency wallets.

5. No company is safe from Phishing as a Service

Although the criminal group behind LabHost specializes in the financial sector, it also uses data, message templates and fake web pages to impersonate companies in other sectors, such as the music streaming platform Spotify or the parcel delivery company DHL. As we pointed out earlier, 16shop offered packages to access Apple or Amazon accounts.

This shows that not only banks and payment platforms are being targeted by Phishing as a Service, but also large technology companies that can be affected by the spread of social engineering attacks.

Microsoft is another multinational technology company for which specific kits have been designed. More specifically, its software as a service, Microsoft 365, is used by thousands of companies worldwide as a daily work environment.

Phishing as a Service Greatness platform packages phishing attacks so that malicious actors can gain access to Microsoft 365 professional accounts. In this way, they could access critical business information: emails, internal documents, customer lists, strategic information, and files related to intellectual or industrial property…

Thus, using Greatness, criminals with basic knowledge could launch attacks to steal critical information from companies in multiple sectors (healthcare, manufacturing, technology, etc.).

Phishing attacks have proliferated in recent years

6. A twist: Subverting multi-factor authentication

In recent years, thousands of companies have implemented multi-factor authentication to protect cloud platforms and service access. This security measure seeks to make it more difficult for social engineering attacks to succeed, as it is not enough for malicious actors to obtain their victims’ usernames and passwords. If two-factor authentication is enabled, another element will also be needed—for example, a code received on the cell phone via an application or an SMS.

Phishing as a Service platforms take into account two-factor authentication and are capable of subverting this security barrier. How? By resorting to the adversary-in-the-middle technique and using proxies.

6.1. Complex technological developments to overcome defensive barriers

This is what the criminals behind LabHost did, as well as the group that launched Robin Banks, a Phishing as a Service platform focused on attacking banks such as Citibank, Wells Fargo or Santander.

In addition to the prototypical Phishing as a Service kit, Robin Banks marketed a reverse proxy for adversary-in-the-middle attacks. Thanks to this tool, communication could be established between the victim and the server of the spoofed website. Thus, login requests were bounced, and Robin Banks intercepted session cookies in transit. Once they were possessed, it was possible to log in fraudulently.

Greatness operated similarly in cases where two-factor authentication was enabled. This criminal service relied on an API and a proxy to perform the following operation:

  • The victim would enter their login credentials on a fake page pretending to be the Microsoft 365 login website.
  • Then, Greatness requested access to the actual Microsoft website so that the company could send a one-time code to the legitimate user.
  • Unaware of the deception, the victim entered the fake code on the website. In this way, Greatness was able to access the Microsoft 365 service.
  • The attacker was sent the login credentials and valid cookies before they expired so that he could access the account.
  • Once inside Microsoft 365, the malicious actor could obtain confidential information from the company the professional worked for and collect data for financial fraud, extortion, future attacks, or to sell on the Dark Web.

7. Combating social engineering techniques and digital frauds

How can companies prevent and respond to attacks executed through Phishing as a Service platforms?

  • Companies whose identities are impersonated and suffer illegitimate access to their services and applications must call on cyber intelligence services specialized in fighting digital fraud and hacking and implement effective countermeasures to render criminal strategies ineffective.
  • Conduct Social Engineering Tests to train and raise awareness among corporate professionals while measuring their level of preparedness in the face of the increase in phishing attacks and their growing complexity due to trends such as the consolidation of Phishing as a Service platforms.
  • Use incident response services. All companies should have professionals trained to assess a security incident, respond immediately, contain its scope and expel the malicious actor before it achieves its goals.
  • Implement phishing-resistant technologies, such as FIDO2-based multi-factor authentication systems.

In short, the Phishing as a Service model allows thousands of criminals without specialized knowledge or technological resources to carry out sophisticated social engineering attacks. This multiplies the number of attackers that companies have to deal with and poses a great challenge for companies in all kinds of sectors, not only in the financial or technological fields.