Phishing-As-A-Service Is Growing Rapidly - All Thanks To New Evasion Methods

While, it has become an obviously known fact that most business-related communication is occurring through emails now, the medium itself is gradually becoming a heaven of data that scammers have their eyes onto, all the time now. This has indeed given rise to phishing scams that specifically target corporate users to steal secret information, after all, what really is happening behind the curtain?

Previously phishing campaigns could only be set up by qualified unethical hackers who had the technical knowledge to develop the phishing kits and compromise sites to host the phishing landing pages, which were later used for stealing credentials. However, today we are witnessing new criminal sites that offer Phishing-As-A-Service with features of phishing kits and hosting of phishing forms at really pocket friendly rates. As a result, we are seeing even the less experienced scammers going for realistic spam campaigns.

These new Phishing-as-a-Service (PhaaS) sites have allowed the criminals to choose landing pages and host right of their choice for a little fees per month (usually around $80 — $90). Moreover, the templates also include Adobe, DocuSign, Dropbox, Google, LinkedIn, Microsoft OneDrive, Office 365, PayPal, Sharepoint, Yahoo, and many more.

office email 365 scam page style 20 in under $80 $90
Screenshot: Digital Information World

The recent reports by security providers have also suggested that such services are pushing the phishing campaigns to new heights as in one of the examples shared by Magni Sigurdsson and Tinna Thuridur Sigurdardottir two cyber security researcher at Cyren, you can easily spot a PhaaS offering that names itself a "private service provider" to host spam. Sadly, as per Digital Information World's findings these sites are indexing adeptly well for several keywords in Google search results.

These services are also passing on a guarantee that phisher's landing pages will stay active for one month by all means but their identities are still unknown. As this brings more ease for crooks by letting them only focus on the spamming of emails, the people behind this service have gone one step further by also selling email lists - more commonly called as “leads” which can turn out to be very effective in terms of targeting users from specific demographics.

If someone is interested to buy them, they will have to contact the site’s owner with ICQ app.

Advance Methods And Even Better Evasion

Just when Phishing-as-a-Service began to rise at a rapid pace, users and security software are trying hard to catch up with them but in the end threat actors kept on winning with more innovative methods.

A recent phishing campaign example included mail account deletion notifications, undelivered mail prompts, and fake voicemail messages. All the emails included were designed to direct the user to the landing pages and then fool them into entering login credentials.

Hackers even tried out more advanced evasion techniques to bypass detection from machine learning and antivirus tools. Today, according to Cyren, about 87 percent of the phishing campaigns are working on the following phishing techniques:

Legitimate cloud hosting: The best trick among them all take help of legitimate cloud service providers like Azure in order to host their landing pages. This makes the landing pages to get hosted on Microsoft branded URLs such as and then eventually this makes the scam pages look more authentic. They also hold a certificate owned by Microsoft. This technique can become very useful for landing pages that are built with an aim to steal credentials for Microsoft services such as Microsoft Accounts, OneDrive, Outlook, and Office 365.

Content encryption: With this, the threat actors can actually encrypt the data and then later decrypt it with JavaScript to make it readable in a web browser.

HTML character encoding: In this technique the HTML of the phishing scam gets encoded in such a way that it appears as meaningless to scanning engines, but becomes clearly visible in the web browser or while emailing the client.

URLs in attachments: This goes entirely opposite to the idea of hosting the phishing landing page URLs in the emails, instead this allows you to post it in attachments that gets hosted on other services or with the email.

Inspection blocking: By choosing this, one can block automated systems that are being currently used by Google, antivirus engines, or security providers to read the content of the page. It gets done with htaccess files that have pre-built signatures which helps in redirecting certain visitors to some other site.

Content injection: This includes a legitimate, but compromised, site with a valid script that can also redirect targeted users to the landing page.

All of the above mentioned techniques seem to minting a lot of profits for criminals on the internet. In the first quarter of 2019 alone, phishing campaigns have increased by 17% whereas 25% of phishing emails also bypassed Office 365 Security.

Read next: Here is the best antivirus for macOS Mojave
Previous Post Next Post