Phishing-as-a-Service Subscriptions Make Cybercrime Easy and Defense Hard

October 15, 2021

You can outsource almost anything these days. Even phishing. A vital part of many major cyberattacks including ransomware operations, phishing can take on many forms and wear many disguises, making it a challenge for every business to keep away from its employees. However, cybercriminals heavily favor phishing as the first step in cybercrime operations. More than 80% of reported cyberattacks are phishing. Phishing has never been a cyberattack with a high barrier to entry, but now that barrier is even lower with new cybercriminal enterprises offering Phishing-as-a-Service at a price bad actors can easily afford – and no business can afford. 


Automated security isn’t a luxury. See why Graphus is a smart buy. LEARN MORE>>


Phishing Messages Are Swamping Businesses

In this year’s ISACA State of Cybersecurity 2021 Survey, 35% of respondents reported that their enterprises are experiencing an increase in cyberattacks like phishing in 2021. That’s concerning because it is already three percentage points higher than was recorded in that survey in 2020 a year when all previous years’ phishing records were smashed in a phishing frenzy. Phishing risk ballooned by over 600% in Q2 2020 alone and it’s still on the rise in 2021 – phishing in all of its forms from phishing-related data breaches to business email compromise is thriving in today’s email dependent business world. A booming dark web economy with money flowing around to every corner is not helping the cause. 

We’re sending more messages than we ever have before as we grapple with the latest phase of the global pandemic. An estimated 306.4 billion emails were sent and received each day in 2020, triple the average increase of past years. That figure is expected to continue to grow steadily as companies continue to grapple with the complications of the ongoing pandemic and virus variants that could lead to long-term remote work becoming the norm. If email volume continues to trend the way that experts expect, it is estimated to reach over 376.4 billion daily messages by 2025.   

 Phishing is a Never-Ending Story for IT Teams

This non-stop onslaught of email-based threats is wearing out IT professionals. Phishing continues to pose a challenge to IT teams for a host of reasons. One of the most impactful reasons is extensive advances in phishing design and technology on the part of cybercriminals, especially the evolution of social engineering techniques. Everything from constant shifts in how phishing attacks are crafted to how they are distributed makes it hard for companies to keep phishing out of their environments.  

Phishing Quick Hits  

  • 94% of malware is delivered by email
  • More than 80 % of reported security incidents are phishing-related 
  • 40% of phishing messages aren’t caught by conventional security or a SEG 
  • One-fifth of employees in a 2020 survey fell for phishing tricks and interacted with spurious emails 
  • 45% of employees click emails they consider to be suspicious “just in case it’s important”  

The economic impact of the global pandemic has hit businesses of every size in every sector. That includes organizations that are doing business in the shadowy confines of the dark web. However, instead of revenue contraction from lost productivity or other nasty pandemic effects, outfits that are in the business of cybercrime are had a banner year in 2020. That looks to continue in 2021 as growth in Cybercrime-as-a-Service and its close cousin Ransomware-as-a-Service has been steady. Giving cybercriminals plenty of opportunities to make a profit from the fruits of their labor. 

Cybercrime Quick Hits


How safe is your email domain? Find out now with our domain checker. CHECK YOUR DOMAIN>>


Cybercrime Gangs Hire Service Providers Too


Now Phishing-as-a-Service (PhaaS) has entered the game. In the same vein as ransomware-as-a-service (RaaS), phishing-as-a-service follows the software-as-a-service model that many legitimate tech companies use. In a PhaaS scenario, bad actors engage cybercriminals developers to cook up the elements of a phishing campaign like false sign-in page development, website hosting,  spoofed emails and credential parsing. PhaaS operators can also perform a wide variety of smaller a la carte services like hosting a single phishing site or providing a template for a one-time send.  

But there are outfits that offer complete campaign services too. In those scenarios, the PhaaS operators take care of everything. Why bother waging a phishing campaign themselves? It’s easy and cheap for a cybercrime group to hire a PhaaS practitioner who will take care of everything – create and host a phishing site, create and install a phishing template on the site, configure the domain and take care of every technical aspect, send emails to victims, collect credentials or other desired data from the victims – then wrap everything up with a big red bow and deliver the stolen information straight to the cybercrime operation that hired them without those bad actors lifting a finger.  


Learn the secret to ransomware defense in Cracking the RANSOMWARE Code. GET BOOK>>


Cybercriminals Are Clamoring to Sign Up for a Phishing Subscription Box


Even shops on the dark web have subscription box options these days. But instead of getting makeup or coffee in this subscription box, the buyer gets a steady delivery of phished information to power their other cybercrime operations. Some operations also offer packages and monthly subscription programs that enable bad actors to simply pay a monthly fee to have the service conduct regular phishing campaigns and then deliver the buyer the results. Although not unheard of previously, the PhaaS sector is gaining a bit more focus after a recent Microsoft blog post detailed a specific PhaaS operation that their researchers uncovered and its business model.  

Just a few months ago, Microsoft researchers uncovered a phishing campaign that used a high volume of newly created and unique subdomains, boasting over 300,000 in one run. Digging deeper, researchers discovered a major PhaaS operation called BulletProofLink, aka Anthrax. The brand’s services are used by multiple attacker groups as a launchpad for cybercrime operations like business email compromise, spear-phishing and ransomware attacks. With a wide variety of options for its customers to choose from, the group uses either one-off or monthly subscription-based business models, creating a steady revenue stream for its operators. The operation offers over 100 available phishing templates that mimic known brands and government agencies or services that the researchers said were responsible for several prominent, ongoing phishing campaigns right now and in the past.   

In order to become a customer, cybercriminals connect with the  BulletProofLink gang through a mutual connection or the outfit’s site on the dark web. The PhaaS operation offers all of the services that you’d expect including a la carte items and subscription models at a variety of price points. According to Microsoft researchers, the PhaaS group’s subscription prices vary dependent on a host of factors, but in general, the service can cost about $800 per month. BulletProofLink also operates what amounts to a one-stop-shop for phishing, featuring everything a cybercriminal might need to conduct a successful phishing operation. Even without using the complete campaign or subscription services available, a wide-ranging menu of individual items including DIY phishing kits, over 100 email templates including high-quality spoofed messages, web hosting and even automated services are available at a relatively low cost. This enables cybercrime gangs to quickly launch phishing operations as the foundation to things like ransomware attacks or business email compromise schemes with low overhead costs.


What’s next in phishing? Find out in the 2021 State of Email Security Report! GET IT NOW>>


Protecting Your Business from Phishing is Easier Than Ever Too 


The favorable conditions of today’s cybercrime environment, especially when it comes to running phishing operations, have spawned a panoply of successful specialized cybercrime services like RaaS and PhaaS. Roughly 40% of listings that researchers viewed in a 2020 study were created by players in the Ransomware-as-a-Service (RaaS) space. That is another indication that the dark web operates just like any other business. Except the organizations that you find there are organizations that you don’t want to do business with. Graphus can help with that. 


Stop phishing with Graphus – the most simple, automated & affordable phishing defense available.


Why should you choose Graphus? Because you’ll get cutting-edge protection from cybercrime at an excellent price. Using AI-powered, automated email security with an award-winning solution is a smart move for businesses of every size.

  • You’ll gain a powerful guardian that protects your business from some of today’s nastiest threats like spear phishing, business email compromise, ransomware and other horrors that will fit perfectly into your IT budget.
  • Plus, automated security is up to 40% more effective at spotting and stopping malicious messages like phishing email than a SEG or conventional security. 
  • Get detailed, actionable threat intelligence with the Graphus Threat Intelligence add-on, featuring detailed reports on the malicious or compromised IP and email addresses, URLs, and attachment hashes used in cyberattacks that target your users.
  • Click here to watch a video demo of Graphus now.

Don’t wait until cybercriminals are dangling tempting lures in front of your employees to take action and provide your business with best-in-class email security. Let us show you how the triple-layered protection that your business gets from Graphus is exactly what you need to keep your organization safe from phishing. 

Addressing the dangers of phishing is a smart way for businesses to reduce their risk of a damaging data breach. One of the best ways to do that is to prevent the inevitable mistakes that employees will make by keeping them out of the picture with Graphus. Schedule a demo today=> 


Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus