Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
Camp BGen Rafael T Crame, Quezon City
ACG-CYBER SECURITY BULLETIN NR 266: UNDERSTANDING THE RISK OF PHISHINH-AS-A-SERVICE (PHAAS)
Reference Number ACG-CSB 092122266
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
A form of organized cybercrime known as phishing-as-a-service (PhaaS) involves criminals using the Internet to provide phishing services to others in exchange for cash. Phishing is a type of email fraud in which fraudsters send communications that seem to be from reliable businesses in an effort to dupe recipients into disclosing personal information like passwords and banking information. Making the deception even more difficult to detect, phaaS providers frequently develop landing pages and bogus websites that look legitimate.
By lowering the barriers to entry, PhaaS has inspired a new generation of cybercriminals to try their hand at phishing, and the return on investment for them is enormous. A cybercriminal usually needs to know HTML to send an effective email. They'd also need to know how to build a website that looks legitimate while stealing credentials. These skills are not required to carry out a phishing attack if someone purchases a phishing kit. There is very little time between the conception and execution of an attack.
Everything needed to carry out a successful phishing attack is contained in a phishing kit. They include templates for websites to direct victims to as well as email templates for delivering emails that look to be from reliable businesses. Lists of probable targets are also included in certain phishing kits. Phishing kits frequently come with thorough instructions and customer support because they are intended for people without technological expertise.
PhaaS costs anywhere from a few dollars to hundreds of dollars, and some suppliers even promise success. While some claim to be able to get beyond any sort of two-factor verification.
Some PhaaS products are thought to have been produced using open source software that was ostensibly used to test for flaws. Additionally, those who are selling these technologies have been seen making dashboards that allow users to view real-time updates on attacks and video training for consumers to watch.
The threat posed by phishing affects both private citizens and companies. It results in network infiltration in organizations and account hacks on private persons. PaaS increases this threat by enabling anyone, regardless of skill level, to carry out such attacks.
The adoption of PaaS not only makes phishing more prevalent but also could make each assault more successful. Even while phishing emails are frequently easy to spot, someone who uses a commercial phishing kit may be able to collect much more credentials.
All PNP personnel as well as the public are advised to follow these tips to avoid being a victim of Phishing-as-a-Service (PhaaS) attack:
- Check the Sender - A phishing email's receiver shouldn't focus too much on the sender's name. Even though the sender might attempt to appear legitimate by using email spoofing, minor spelling variations cannot be totally eliminated.
- Look for Formatting Errors - PaaS products frequently include quite realistic emails, yet they still lack the real emails' level of professionalism. Look for mistakes in the language and formatting.
- Don't Click on Links or Open Attachments - Never ever click on a link in an email, regardless matter who sent it. Additionally, you must never open an email attachment unless you are certain of its contents.
- Be Wary of Information Requests - Every phishing email includes a request for action. Any email that requests information from you or requires you to log into an account should raise red flags.
- Businesses Should Train Employees - Employees are the main target of phishing attempts against companies. All staff must receive the appropriate training in order to reduce this threat.
- Businesses May Use Anti-Phishing Software - There is a lot of software available to identify phishing emails and stop them from getting to employee inboxes. Although employee training is still necessary, this software can lessen the level of threat that employees must deal with.
For additional information, please refer to the following websites:
POINT OF CONTACT