Phishing as a Service (PaaS): Cybercriminals Turned Service Providers

Publish Date



  • Cybersecurity
  • Cybersecurity Resources

In the first quarter of 2022, the Anti-Phishing Working Group (APWG) discovered 1,025,968 distinct phishing attacks, which is the first time that the quarterly total has exceeded one million. While phishing attacks have been a common concern for cybersecurity experts in the past, a new wave of phishing is gaining traction. Cybercriminals have become service providers offering Phishing as a Service (PaaS) on the dark web, with products such as one-time phishing kits or subscription offers to help others launch multiple attacks for a monthly fee. The emergence of Phishing and Ransomware as a Service (P/RaaS) platforms represent a startling shift in cybercrime: it has become an industry.  

As cybercriminals seek to improve their product offerings, phishing attacks will become more difficult to spot and combat, their frequency will likely increase, and can ultimately become more of a liability for organizations. Employee awareness and response plans are no longer just preventative, they are imperative for robust cybersecurity. 

Phishing as a service is becoming more common  

PaaS is worrisome because it removes the barrier to entry for cybercriminal activity. Previously, hackers would need to understand HTML and know how to build imitative websites to steal personal information. Now, “phishing kits” sold by PaaS companies do all the groundwork in exchange for a fee. Another danger of PaaS is that hackers are working in groups to grow their online presence and reputation. This allows for hackers to produce more malicious content and capitalize the cybercriminal market more effectively. Unfortunately, there are many examples of how Phishing as a Service has already impacted the volume and impact of cyber attacks.  

BulletProofLink is a clandestine operation which has over 100 phishing templates to mimic well-known brands. Microsoft researchers discovered BulletProofLink when they encountered a large volume of new unique subdomains (more than 300,000 in a single run). Microsoft has been researching PaaS for the past few years and has been able to tie multiple phishing attacks back to BulletProofLink and other major PaaS organizations. The highlighted reuse of phishing kits showcases how PaaS can increase the frequency in which organizations will encounter phishing attacks from multiple parties. Large organizations have already been negatively impacted by phishing kits from PaaS providers.  

In August of 2022, over 130 companies who were customers of IAM leader Okta, were compromised when a hacker mimicked their Multi Factor Authentication (MFA) requirements and stole thousands of MFA codes and personal information. This attack was carried out using a phishing kit—later identified by unique fonts and images that were found in other phishing incidents. The takeaway from Microsoft’s research is that phishing kits can, and are, being used repeatedly by different people. Not only are different people using the same phishing kit to obtain personal information from multiple companies, but the stolen information can also be shared with others who have created and/or purchased the same phishing kit. This is known as a double-theft service.  

Double-theft services such as PaaS and RaaS are concerning because compromised information can be shared across platforms to increase the success rate of future attacks. For example, if a password is compromised from an initial attack brought about by a phishing kit, that password can then be shared on a PaaS platform. Then, that same phishing kit can be used by a separate cybercriminal who now also has access to the compromised information and can use it to further infiltrate more personal accounts. Unfortunately, the potential success for PaaS providers can be exponential with information sharing. Double-theft services are an example of how the cybercrime economy continues to evolve its methods for obtaining personal data.  

How to combat PaaS  

Though the future of Phishing as a Service is concerning, it is not bleak for organizations. Cybersecurity perspectives should shift to view phishing as something more complex than an odd-looking email. Phishing kits have been used to attack MFA, mimic verified credential websites, and much more. The best way to approach PaaS attacks is having a diverse prevention and response plan on an organizational level rather than an individual one.

1. Start with the source:

  • Phishing kits often have unique markers (such as distinct fonts) that once they are identified, they can be implemented into existing cybersecurity systems to scan for the differences and recognize future attacks from similar phishing kits.
  • Routinely update your cyber programs to filter out multiple phishing methods (font differences, distorted images, etc.)

2. Educate employees about what to look for and how to respond: 

  • Educate employees on the multiple phishing attack methods such as MFA/2FA in addition to how to spot a phishing email 
  • Ensure organizational procedures for reporting phishing attempts are up to date
    • What is the response time to contain a successful phishing attempt? 

3. Have an organizational response plan instead of an individualized approach: 

  • If one employee is affected by a phishing attack, assume that their information can be used to corrupt other accounts as well 
    • If a breach occurs, encourage business groups at large to change their personal account information to get ahead of any further compromises
    • Having an organizational response to breaches will make phishing attempts more difficult and help prevent double-theft services 

Takeaways from PaaS prevention 

The success of phishing attacks relies on the volume of attempts and the hope that an unlucky employee won’t recognize slight distortions in emails, images, and/or links. If cybercriminals reuse phishing kits, the amount of attack attempts may increase, but the success rate can be mitigated if organizations spot them early and implement practices to scan for the unique identifiers of a phishing kit. Don’t get caught in the Phishing as a Service net and take the time to conduct a thorough review of policies and procedures over the next few months to be fully prepared in the coming new year.  

How we help 

Our cybersecurity and risk services help organizations secure their data and implement appropriate cybersecurity policies, including: 

  • Aponix Protect™ to build a comprehensive cybersecurity and technology risk management program tailored to your business needs.
  • Business impact analysis and business continuity plans complete with robust policies, plans, and procedures to better protect your company from data breaches and efficiently recover from a cyber incident or significant business disruption.
  • Risk assessments to identify and remediate gaps in a firm’s current cybersecurity and regulatory state, as well as figure out how a firm stands up against existing frameworks (SOC, PCI, NIST). 
  • Staff training and threat monitoring to educate on industry best practices, cyber trends, and emerging threats. 
  • Vulnerability and penetration testing to reduce the risk of financial, operational, and reputational losses that can result from a breach. 

For questions about this article, or to find out how we can help you mitigate your firm’s risk, please reach out to your ACA consultant or contact us

Watch our live webcast

The methods and tactics for cyber breaches have shifted, as cybercriminals have turned their attack knowledge into an industry with Phishing and Ransomware as services. Due to this shift, 2022 was a record-breaking year for cybercrime with the average cost of a cyber breach reaching a high of $4.35 million. As the costs of breaches continue to rise, so too does the number of organizations who are experiencing breaches, with 83% of companies reporting that they’ve suffered more than one breach in their lifetime (according to the 2022 IBM Cost of a Data Breach Report).

Join us as we discuss the seven scariest breaches of 2022 as well as how to combat cybercrime through robust cybersecurity practices and response plans.