Getty Images/iStockphoto
How to defend against phishing as a service and phishing kits
Phishing is a perennial thorn in the side of enterprise security. Thanks to phishing-as-a-service offerings and phishing kits, the problem will only get worse.
Enterprises continue to see a steady increase in phishing attacks. One of the primary reasons is the now-widespread availability of easy-to-use phishing kits and phishing-as-a-service offerings, which make the following possible:
- Inexperienced, novice attackers with limited technical skills can successfully launch phishing campaigns.
- Experienced, professional threat actors can scale their operations and achieve higher success rates.
Let's look at how both work and how to defend against them.
How phishing kits work
Cybercriminals primarily use basic phishing kits to quickly create fake webpages that look like the sites of well-known brands. Phishing kits consist of the following two parts:
- An HTML page that is a replica of an original, legitimate website. Typically, the page solicits user information that is valuable to the attackers, such as usernames, passwords, challenge questions and answers, credit card numbers, Social Security numbers, phone numbers and addresses.
- A phishing script that collects the data and sends it to the attacker through any number of mechanisms, such as email, Telegram or WhatsApp.
While defenders can and do block such malicious websites, these toolkits enable malicious hackers to create them at speed and at scale -- in some cases, faster than defensive mechanisms can recognize and block them. During the period a malicious site is live and unblocked, phishers try to dupe as many victims as possible for maximum ROI.
How phishing as a service works
Phishing as a service (PhaaS) is a more modern, expanded version of basic phishing kits that further lowers the barrier to entry for would-be cybercriminals, making phishing even more accessible to those with limited technical savviness.
PhaaS offerings are off-the-shelf packages that include advanced phishing kit features, such as the following:
- Malicious email templates.
- Malicious landing page templates.
- Multisite hosting services.
- Attack tutorials.
- Contact information of potential targets.
- Credential theft management services.
- Automatic, repeated distribution of phishing messages.
- Subscription-based pricing.
- Customer support.
Phishing services are generally easy to understand and subscribe to, and some providers even offer guarantees to attract more aspiring malicious actors.
Phishing-as-a-service platforms
Some of the most popular PhaaS platforms include Greatness and Strox. Greatness includes the following features:
- Pre-designed phishing templates that convincingly mimic legitimate websites, making it more likely potential victims fall for them.
- User-friendly interfaces for campaign management.
- Sophisticated back-end support for data harvesting and analytics.
Greatness not only simplifies the process of launching phishing campaigns, but also significantly amplifies the potential impact and reach of such cyberattacks, challenging cybersecurity defenses on a global scale.
Strox similarly offers an intuitive, user-friendly service that enables even novices to launch sophisticated phishing campaigns. It provides a seamless back-end infrastructure that lets users manage their campaigns, analyze success rates, and efficiently collect and sort stolen data.
How to defend against phishing as a service
Defending against PhaaS requires a multipronged approach that combines technological controls with user education to strengthen the security posture.
First and foremost, focus on defending users' inboxes, as email-based phishing attacks are among the most common and most destructive:
- Advanced email filtering. Deploy advanced email filtering tools, such as email security gateways, that can detect and quarantine phishing emails before they enter inboxes. These tools act as a barrier between the external internet and the internal network, analyzing messages for malicious links, spurious web addresses and suspicious attachments.
- Strong password policies and MFA. Further strengthen email security by implementing MFA and ensuring users practice good password hygiene.
- Patch management. Make critical patch updates of email systems as soon as they are available, preventing phishing campaigns from exploiting known vulnerabilities.
- Technical security controls. Deploy additional technical security controls, such as the Domain-based Message Authentication Reporting and Conformance protocol, which helps authenticate emails' origins and reduce spoofed messages. Endpoint protection tools provide another layer of defense by detecting and blocking malicious and suspicious activities on devices.
- Security awareness training. It is critical to raise and maintain phishing awareness among employees with regular security training, maximizing the odds they recognize attacks. Simulated phishing exercises put users' knowledge to the test and show what types of attacks they are most likely to fall for so security teams can update training programs accordingly. Newer training techniques, such as gamification and competitions, can make security awareness training more fun and resonant with the audience.
Ashwin Krishnan is a technical writer based in California. He hosts StandOutin90Sec, where he interviews cybersecurity newcomers, employees and executives in short, high-impact conversations.