{"id":11149,"date":"2019-07-09T13:28:42","date_gmt":"2019-07-09T17:28:42","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=11149"},"modified":"2019-07-09T17:57:50","modified_gmt":"2019-07-09T21:57:50","slug":"phishing-as-a-service-turn-key-phishing-kits","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/phishing-as-a-service-turn-key-phishing-kits\/","title":{"rendered":"Phishing-as-a-Service: Turn-key Phishing Kits"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Cyren reports finding over 5,334 unique phishing kits just this year<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Historically, phishing \u2013 like most cybercrimes \u2013 has had a technical barrier to entry. As in, you needed to have at least a moderate degree of sophistication in order to successfully mount a phishing campaign. Obviously not much. <a href=\"https:\/\/www.thesslstore.com\/blog\/phishing-email-examples-the-best-worst\/\">There\u2019s no shortage of bad phish<\/a> \u2013 I see two or three drop into my junk folder per day \u2013 but it still wasn\u2019t something a layman could pull off.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That is no longer the case. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Enterprising cybercriminals have now brought phishing to the common man with turn-key phishing kits and Phishing-as-a-Service (PhaaS) products that come with subscriptions and varying levels of service. There is no longer a technical barrier \u2013 only a financial one.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, today we\u2019re going to talk about the rise of phishing-as-a-service and turn-key phishing kits, but we\u2019re also going to look at the evolution of the cybercrime economy, which is beginning <a href=\"https:\/\/www.thesslstore.com\/blog\/2018-cybercrime-statistics\/\">to embrace platform capitalism<\/a> and other more traditional business practices. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Subscribe to Phishing-as-a-Service just like you would Netflix<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Cyren is an IT security company that offers a\nSecurity-as-a-Service and threat intelligence solutions. I mention this because\nit\u2019s a great jumping off point to quickly explain the whole \u2018as-a-service\u2019\nconcept to anyone that isn\u2019t familiar. <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/07\/bigstock-202108018-300x300.png\" alt=\"\" class=\"wp-image-11154\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/07\/bigstock-202108018-300x300.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/07\/bigstock-202108018-768x768.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/07\/bigstock-202108018-1024x1024.png 1024w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Whereas traditional software came in the form of a download\n(or, back in the days of antiquity you could purchase it in a physical format\nat a brick-and-mortar store) that resided on the user\u2019s device,\nsoftware-as-a-service (and similarly infrastructure-as-a-service and platform-as-a-service)\nis hosted on the provider\u2019s servers and made available via the internet. It\u2019s a\nform of cloud computing. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There are several advantages to this business model:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Financial<\/strong> \u2013 For users, rather than purchasing software, and potentially hardware, they simply pay for a monthly or yearly subscription. For providers, rather than a single, one-time payment you receive recurring payments for the life of the subscription. <\/li><li><strong>Scalability<\/strong> \u2013 Services can be accessed on demand, and the user can choose to access more \u2013 or fewer \u2013 features and services based on their specific needs.<\/li><li><strong>Updating<\/strong> \u2013 Rather than wait for users to download and install updates and patches, the provider can handle updates itself on its own servers and roll them out to users on its own timetable. This reduces IT burdens on the user side.<\/li><li><strong>Accessibility<\/strong> \u2013 Users can access the service anywhere they can access the internet, whereas traditional software needs to be installed on each individual device you connect from.<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Now apply that to any \u201cas-a-Service\u201d product you come across and you should have a solid idea how it works \u2013 whether it\u2019s a security product or a video game. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Phishing-as-a-Service and Turn-key phishing kits<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">In a July 1<sup>st<\/sup> blog post, <a href=\"https:\/\/www.cyren.com\/blog\/articles\/evasive-phishing-driven-by-phishing-as-a-service\">Cyren reports finding 5,334 unique, turn-key phishing kits<\/a> just from 2019. These are products offered by the aforementioned \u201cPhishing-as-a-Service industry.\u201d If the fact it\u2019s big enough to refer to as an industry troubles you, that\u2019s just the tip of the iceberg when it comes to the cybercrime economy \u2013 we\u2019ll get to that in a minute though.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These PhaaS operations offer both one-off turn-key phishing\nattack kits for as little as $50; as well as full-service subscriptions that,\non average, cost $50-80 per month. They even offer discounts. Here\u2019s an\nexample, courtesy of Cyren:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"357\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/07\/Example-phishing-offerings-Screen-Shot-2019-06-04-1024x357.png\" alt=\"\" class=\"wp-image-11151\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/07\/Example-phishing-offerings-Screen-Shot-2019-06-04-1024x357.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/07\/Example-phishing-offerings-Screen-Shot-2019-06-04-300x105.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/07\/Example-phishing-offerings-Screen-Shot-2019-06-04-768x268.png 768w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">We\u2019ll touch on this more in a moment, but just take a second and look at the presentation of these products. This doesn\u2019t look like some fly-by-night criminal operation \u2013 this is a legitimate eCommerce website. Complete with shopping cart, product ratings and a professional-looking UI. They&#8217;re even using proven marketing tactics like the decoy effect and price priming. These criminal enterprises are leveraging traditional, legitimate business practices to push their products.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Better phish than you can catch in the wild<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">One of the additional benefits of the SaaS business model that we didn\u2019t list earlier is that it provides a strong incentive for providers to continue refining and improving their products. After all, if it\u2019s ineffective or goes stagnant then customers are going to start abandoning ship and money will be lost. Phishing-as-a-Service is no different. Only in PhaaS\u2019s case, that benefit is pernicious. Because it means the phish are evolving, becoming better \u2013 sentient. Ok, not sentient, but smarter. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Per Cyren:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>A straight line can be drawn between the availability of such kits and turn-key phishing platform services and the growth in evasive phishing\u2014phishing attacks that use tactics to confound detection by email security systems. Today\u2019s reality is that we are seeing more evasive phishing campaigns in the hands of more attackers at less effort and lower cost than in the past, as technically sophisticated phishing attack developers have adopted a SaaS business model to let even the most amateur criminal wanna-be [sic] spoof targeted web sites with a high degree of authenticity and embedded evasive tactics.<\/p><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Obviously, none of that is good. Cyren reports that 87% of\nphishing kits include evasive techniques, and that\u2019s really a matter of\nsemantics. Cyren has six techniques that it defines as evasive and it looks for\nthe presence of at least one of those before saying a kit uses evasive\ntechniques. <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>HTML Character Encoding \u2013 <a href=\"https:\/\/www.thesslstore.com\/blog\/unicode-domain-phishing\/\">A form of Unicode Phishing<\/a><\/li><li>Content Encryption \u2013 <a href=\"https:\/\/www.thesslstore.com\/blog\/how-to-send-encrypted-email-on-3-major-email-platforms\/\">Sending encrypted email or attachments<\/a><\/li><li>Inspection Blocking \u2013 <a href=\"https:\/\/www.thesslstore.com\/blog\/how-to-read-an-email-header\/\">Employing blocklists to prevent scanning and inspection<\/a><\/li><li>URLs in Attachments \u2013 <a href=\"https:\/\/www.thesslstore.com\/blog\/https-phishing-the-rise-of-url-based-attacks\/\">URL-based attacks<\/a><\/li><li>Content Injection \u2013 <a href=\"https:\/\/www.thesslstore.com\/blog\/third-party-content-injection\/\">Injecting phishing content directly into a website<\/a><\/li><li>Legitimate Cloud Hosting \u2013 <a href=\"https:\/\/www.thesslstore.com\/blog\/email-security-part-2-phishing-and-other-falseness\/\">Hosting websites on AWS, Azure, etc.<\/a><\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Six different evasive techniques, all intended to fool mail\nclients into delivering the email. That\u2019s their approach. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We tend to categorize phishing techniques a bit differently at Hashed Out. In fact, Casey wrote about this very thing on Friday, listing <a href=\"https:\/\/www.thesslstore.com\/blog\/10-types-of-phishing-attacks-and-phishing-scams\/\">10 different types of phishing<\/a> attacks and scams. <\/p>\n\n\n<div class=\"wp-block-advanced-gutenberg-blocks-post\">\n\t\t\t<a href=\"https:\/\/www.thesslstore.com\/blog\/10-types-of-phishing-attacks-and-phishing-scams\/\" class=\"wp-block-advanced-gutenberg-blocks-post__image\" style=\"background-image: url('https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/07\/Types-of-Phishing-Feature-300x180.png')\">\n\t\t<\/a>\n\t\t<div class=\"wp-block-advanced-gutenberg-blocks-post__content\">\n\t\t<p class=\"wp-block-advanced-gutenberg-blocks-post__title\">\n\t\t\t<a href=\"https:\/\/www.thesslstore.com\/blog\/10-types-of-phishing-attacks-and-phishing-scams\/\">10 Types of Phishing Attacks and Phishing Scams<\/a>\n\t\t<\/p>\n\t\t<p class=\"wp-block-advanced-gutenberg-blocks-post__metas\">\n\t\t\t<em>\n\t\t\t\t\t\t\t\t\t<span> In Hashing Out Cyber Security <\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span> By Casey Crane <\/span>\n\t\t\t\t\t\t\t<\/em>\n\t\t<\/p>\n\t\t<div class=\"wp-block-advanced-gutenberg-blocks-post__excerpt\">\n\t\t\t<p>\n\t\t\t\t<p>There&#8217;s more than just one type of phish. Knowing what to look for can help your organization from getting swallowed. Here are 10 different types of phishing.<\/p>\n\t\t\t<\/p>\n\t\t<\/div>\n\t\t<p class=\"wp-block-advanced-gutenberg-blocks-product__actions\">\n\t\t\t<a href=\"https:\/\/www.thesslstore.com\/blog\/10-types-of-phishing-attacks-and-phishing-scams\/\" class=\"wp-block-advanced-gutenberg-blocks-post__button\">\n\t\t\t\tRead more\t\t\t<\/a>\n\t\t<\/p>\n\t<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Every phishing email attempts to be evasive. Some more\nsuccessfully than others. Historically, the evasiveness of a phish was indicative\nof the level of technical sophistication of its creator. That\u2019s what makes Phishing-as-a-Service\nso worrisome \u2013 anyone with a little bit of cash can now send convincing phish. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The biggest barrier to entry has been removed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">This is indicative of a larger pattern with the cybercrime economy<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The cybercrime economy generated \u2013 by conservative estimates &#8211; <a href=\"https:\/\/www.thesslstore.com\/blog\/2018-cybercrime-statistics\/\">$1.5 trillion dollars in 2018<\/a>. <\/p>\n\n\n\n<table class=\"wp-block-table\"><tbody><tr><td>\n  <strong>Crime<\/strong>\n  <\/td><td>\n  <strong>Annual Revenues<\/strong>\n  <\/td><\/tr><tr><td>\n  Illegal online\n  markets\n  <\/td><td>\n  $860 Billion\n  <\/td><\/tr><tr><td>\n  Trade secret, IP\n  theft\n  <\/td><td>\n  $500 Billion\n  <\/td><\/tr><tr><td>\n  Data Trading\n  <\/td><td>\n  $160 Billion\n  <\/td><\/tr><tr><td>\n  Crime-ware\/CaaS\n  <\/td><td>\n  $1.6 Billion\n  <\/td><\/tr><tr><td>\n  Ransomware\n  <\/td><td>\n  $1 Billion\n  <\/td><\/tr><tr><td>\n  Total Cybercrime\n  Revenues\n  <\/td><td>\n  $1.5 Trillion\n  <\/td><\/tr><\/tbody><\/table>\n\n\n\n<p class=\"wp-block-paragraph\">Crimeware-as-a-Service, a category that includes Phishing-as-a-Service, generated a modest $1.6 billion. That\u2019s still more than the GDP of the Solomon Islands. That figure looks to increase in 2019.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here are some other services you can purchase via the SaaS\nmodel:<\/p>\n\n\n\n<table class=\"wp-block-table\"><tbody><tr><td>\n  <strong>Cybercrime\n  Product or Service<\/strong>\n  <\/td><td>\n  <strong>Price (in US\n  Dollars)<\/strong>\n  <\/td><\/tr><tr><td>\n  SMS Spoofing\n  <\/td><td>\n  $20\/month\n  <\/td><\/tr><tr><td>\n  Custom Spyware\n  <\/td><td>\n  $200\n  <\/td><\/tr><tr><td>\n  Hacker-for-Hire\n  <\/td><td>\n  $200+\n  <\/td><\/tr><tr><td>\n  Malware Exploit\n  Kit\n  <\/td><td>\n  $200-$700\n  <\/td><\/tr><tr><td>\n  Blackhole Exploit\n  Kit\n  <\/td><td>\n  $700\/month or\n  $1,500\/year\n  <\/td><\/tr><tr><td>\n  Zero-Day Adobe\n  Exploit\n  <\/td><td>\n  $30,000\n  <\/td><\/tr><tr><td>\n  Zero-Day iOS\n  Exploit\n  <\/td><td>\n  $250,000\n  <\/td><\/tr><\/tbody><\/table>\n\n\n\n<p class=\"wp-block-paragraph\">But the larger trend is that the lines between legitimate enterprise and criminal enterprise have begun to blur in ways we never expected. We mentioned earlier how professional the storefront that was selling turn-key phishing kits looked, but that trend didn\u2019t start with PhaaS. The biggest generator of cybercrime profits are illegal markets. And a huge part of that is counterfeit goods. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In 2017, just counterfeit fashion goods \u2013 clothing, textiles, head wear, footwear, handbags, makeup, watches, etc. \u2013 <a href=\"http:\/\/www.thefashionlaw.com\/home\/the-counterfeit-report-the-impact-on-the-fashion-industry\">amounted to $450-billion in illicit profits just by itself<\/a>. But you can counterfeit just about anything, from children\u2019s toys to medicine. And most people never have any idea they\u2019re buying a fake. <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"287\" height=\"300\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/07\/bigstock-Software-Icon-Isolated-On-Whit-275107171-287x300.png\" alt=\"\" class=\"wp-image-11153\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/07\/bigstock-Software-Icon-Isolated-On-Whit-275107171-287x300.png 287w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/07\/bigstock-Software-Icon-Isolated-On-Whit-275107171-768x802.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/07\/bigstock-Software-Icon-Isolated-On-Whit-275107171-980x1024.png 980w\" sizes=\"auto, (max-width: 287px) 100vw, 287px\" \/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">That can be attributed to the same types of convincing eCommerce storefronts (and marketing tactics) we saw in the PhaaS example earlier. Oftentimes, the sales don\u2019t even occur at the retail level, they occur at the wholesale level when unsuspecting buyers purchase fake goods in bulk and market them legitimately. Regardless, whether its retail or wholesale, more than just the product needs to be imitated. The supplier needs to appear legitimate; it needs to look like a real business. In fact, in most senses these criminal enterprises ARE legitimate businesses in every context but legality.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This trend has permeated across the entire cybercrime economy. And it shows no signs of abating. Some of these criminals have a real business sense. And now anybody with a few bucks can phish or hack with the best of them.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I think its fair to say this is the dark side of capitalism.<\/p>\n\n\n\n\n\n<p class=\"wp-block-paragraph\"><em>As always leave any comments or questions below\u2026 <\/em><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"267\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-1024x267.jpg\" alt=\"Hashed Out by The SSL Store is the voice of record in the SSL\/TLS industry.\" class=\"wp-image-7276\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-1024x267.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-300x78.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-768x200.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568.jpg 1559w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Cyren reports finding over 5,334 unique phishing kits just this year Historically, phishing \u2013 like most cybercrimes \u2013 has had a technical barrier to entry. As in, you needed to&#8230;<\/p>\n","protected":false},"author":6,"featured_media":11152,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[166],"class_list":["post-11149","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-phishing","post-with-tags"],"views":14792,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/07\/PhaaS-Feature.png","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/11149","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=11149"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/11149\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/11152"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=11149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=11149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=11149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}