In the spirit of keeping you up to speed with the latest developments in the cyber underground, so you know what to watch out for, a phishing-as-a-service operation has been uncovered that’s selling   fake log-in pages for services such as Microsoft’s OneDrive, American Express and Google Docs.

Phishing criminals are always coming up with news ways of fooling people into parting with their log-in credentials. However, what makes this particular scam different is that it is being supplied ‘as-a-service’ and it comes with far more than email and website templates, which is the norm for phishing kits.  This scam, however, goes way beyond this.
  • For a weekly, bi-weekly, monthly, or annual subscription the attacker hires the service and is handed stolen credentials on a plate as soon as they have been harvested.
  • The ‘service’ is currently offering log-in scam pages for Microsoft OneDrive, LinkedIn, Adobe, Alibaba, American Express, AOL, AT&T, Dropbox, and Google Docs.
  • A scammer simply chooses which customer log-in details they would like to get their hands on, say American Express, and then hires the service to carry out the operation.
Stealing ID information to order

What does this mean? Essentially non-technical cyber villains can now steal user passwords and usernames by simply paying for phishing attacks made on their behalf.
  • Because the bar has been lowered in terms of the technical expertise required to launch phishing attacks, we can expect more phishing attacks as word spreads in the cyber underground about the service. We could also see other ‘players’ also launching similar services, if this one proves to be successful.
  • While full blown phishing-as-a-service may be relatively new, its introduction isn’t too surprising. It’s almost the same as ransomware-as-a-service which has become dominant in the cyber underground over the past two years.In fact, phishing-as-a-service could lead to even more ransomware attacks because attackers could use the service to gain passwords and log-in details to launch ransomware attacks. So, it’s a double jeopardy of sorts. And of course, there’s nothing to stop phishing service providers who steal credentials on behalf of one customer, then sell the same log in credentials to other customers.
Protection, protection… and protection

The cyber underground is characterised by ever shifting sands with new forms of attack methods and malware surfacing with predictable regularity. The answer though is simple and that is to ensure you’re always protected with proven antivirus software.
  • One of the features of the new phishing-as-a-service are links included in the phishing emails that are ‘fully undetectable’ (FUD). This is a guarantee of sorts, for criminals who hire the service, that the malicious links in the phishing mails won’t be detected by antivirus detection.
  • Malware detection is typically done using virus definitions or signatures in a database. Antivirus scans detect signatures as good if they don’t match an entry in the database and consider files bad if they do match an entry. A FUD link has not yet been detected, is therefore not in the virus database and a result can slip under the antivirus radar.The value of dynamic machine learning
  • To block these types of attacks BullGuard provides layered protection.  At the base level is signature-based detection, but on top of this are other layers such as behavioural-based detection and dynamic machine learning (DML). DML learns and adapts without following explicit instructions, instead, it uses algorithms and statistical models to analyse and draw inferences from patterns in data.
  • BullGuard DML can analyse massive amounts of data, detect trends, and provide deep insight faster than any scale of humans can. As such it can detect anomalies, make decisions and transfer this information to all protected devices in seconds. In practise, suspicious links that show up in phishing mails, and have not previously been identified, are quickly blocked.How to identify phishing emails.
  • No legitimate organisation will send emails from an address that ends ‘@gmail.com’ or similar. Most organisations, except some small operations, will have their own email domain and company accounts. If the domain name (the bit after the @ symbol) matches the apparent sender of the email, the message is probably legitimate. If it doesn’t match then look closely at the email, it is likely a scam.
  • Many scam emails contain poor spelling and grammar. That said, cyber criminals are becoming more professional and are actively seeking native English speakers to help them construct phishing mail messages that are grammatically flawless.
  • No matter how phishing emails are delivered, they all contain a payload. This will either be an infected attachment that you’re asked to download or a link to a bogus website. The purpose of these payloads is to capture sensitive information, such as login credentials, credit card details, phone numbers and account numbers.
  • You can spot a suspicious link if the address it forward you to doesn’t match the context of the rest of the email. For example, if you receive an email claiming to be from Netflix, the link should direct you towards an address that begins ‘netflix.com’. If the message content and web site you are directed don’t match, there’s a good chance it’s a scam.
  • Many scams request that you act now or else it will be too late. This sense of urgency is also a sign that the email is a scam.