Phishing as a service

Written by Davide Andreoletti, SUPSI

In this post we describe the emerging model of Phishing as a Service (PHaaS).

The increasing complexity and widespread diffusion of IT systems made necessary a radical shift of paradigm from standalone solutions to the more flexible and cost-effective service-based ones. This is the case, for example, of remarkable cloud-based solutions offering Storage as a Service (e.g., Dropbox).

Security is not an exception and follows this trend as well, with technologies known under the name of Security As a Service (SECaaS). Their aim is to properly face the new challenges that are characterizing the cyber-space. The basic idea is, in fact, to sell security as a service to multiple customers.

Going more into the field of Social Engineering, phishing is generally the starting point of cyber-attacks, as it is still responsible for 91% of data breaches[1] and 93% of phishing emails contain ransomware[2]. Therefore, solutions offering Phishing as a Service (PHaaS) are gaining popularity. It is necessary to make a fundamental distinction between PHaaS solutions, as they are employed both at the defensive and at the offensive side.

As far as the first category is concerned, PHaaS consists in conducting phishing campaigns as part of the awareness program of the customer company. For instance, the Deloitte[3] company launches tailored phishing attacks to assess the vulnerability of the employees, which are divided into logical groups to have more fine grained results.

As far as the second category is concerned, due to the statistics provided above, PHaaS is likely to become the cornerstone of the cyber black market. According to the Imperva report[4], some criminal organizations are able to offer a full service for as few as $4200 per month. The service consists in the creation of fake schemes (e.g., web pages or e-mails), as well as the compromise of the needed servers, which proved to be an easy part of the attack, as stated in [5].

Given that the current exchange rate for stolen credentials range from $0.015 to $15.39[6] and that obtaining up to 1000 credentials per day is not difficult with an accurate campaign, the return easily goes beyond the investment. Therefore, both unskilled people and hackers can take advantage of this service with affordable costs.

This remunerative business model has two dangerous consequences: 1) unskilled people can take advantage of such service and 2) hackers might find convenient to use it instead of crafting an attack from scratch. In fact, it has been shown that for large scale attacks such service is more effective than the traditional home-made one[7]. A proliferation of phishing-based attacks is to be expected.










by Davide Andreoletti (SUPSI)


This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618