Why Do Criminals Love Phishing-as-a-Service Platforms?
Phishing-as-a-Service (PaaS) platforms have become the go-to tool for cybercriminals, to launch sophisticated phishing campaigns targeting the general public and businesses, especially in the financial services sector.
PaaS operates much like other subscription-based malware models, where cybercriminals offer phishing kits, including spam tools, phishing pages’ templates, bulletproof servers, and victim databases to less-experienced attackers. These kits often come with user-friendly interfaces and detailed instructions, making it easy for anyone to deploy a phishing campaign with minimal effort.
These platforms are sometimes marketed as legitimate phishing simulation services, but in reality, they cater to bad actors aiming to exploit a victim’s first line of defense, people, through social engineering tactics.
In this blog, we’ll explore the key features offered by PaaS platforms, highlight the major platforms Trustwave SpiderLabs has recently observed, and cover effective phishing mitigation strategies.
What Do PaaS Platforms Offer?
PaaS platforms provide tools that enable threat actors to easily create convincing fake emails and websites, mimicking legitimate services to trick users into revealing sensitive information, such as account credentials and personal details.
The platforms typically include features such as:
- Phishing Templates and Page Generators: These are core features of many PaaS platforms, providing threat actors with pre-designed landing pages that closely resemble those of reputable organizations. For example, Tycoon2FA, a well-known PaaS platform, offers a wide array of these themes and templates crafted to imitate the login pages of banks, technology companies, and services including Microsoft 365. These templates are designed to deceive recipients into believing they are interacting with legitimate sites, thereby increasing the likelihood of capturing sensitive credentials such as usernames, passwords, and multifactor authentication (MFA) tokens.
Figure 1: Pre-designed phishing themes and templates provided on the Tycoon2FA PaaSplatform.
In addition, tools are also available for affiliate threat actors to customize phishing pages by adjusting various elements, such as login forms, CAPTCHA settings, and feature additional fields for victims to fill out making attacks more effective at harvesting credentials. Phishing page-generator tools may also simplify the deployment of these phishing pages by providing options for hosting on secure servers, often leveraging bulletproof hosting services to avoid detection and takedown efforts. Below is an example of a phishing page generator tool offered by Interac Panel PaaS.
Figure 2: Phishing page templates targeting the National Bank of Canada, provided by the Interac aaS
- Real-Time Monitor Dashboard: The dashboard in PaaS platforms serve as a real-time campaign management tool, offering threat actors detailed insights into the performance of their phishing operations. It tracks key metrics such as open and click-through rates, captured credentials, and session cookies. This data helps attackers gauge the effectiveness of their campaigns and adjust strategies accordingly. Also, the dashboard provides geolocation, device, and browser data on victims, enabling more targeted attacks.
Figure 3: A phishing panel offered by the V3B PaaS showing real-time feedback and a panel to interact with a potential victim.
- MFA Bypass:A well-known PaaS platform that supports this MFA bypass feature is Tycoon2FA. This capability is particularly alarming because MFA is widely regarded as a robust security measure designed to add a layer of protection beyond passwords. These platforms, however, use various techniques to bypass MFA, such as adversary-in-the-middle (AiTM) attacks, where the attacker positions themselves between the victim and the legitimate service. In doing so, they can capture the MFA token or authentication code as it is transmitted, using it to authenticate themselves in real time.
- CAPTCHA Human Authentication: CAPTCHA human authentication is generally supported by major sites to ensure that only legitimate human interactions are processed. Threat actors frequently use Cloudflare Turnstile, a service that provides advanced CAPTCHA challenges, to authenticate clicks on phishing pages. This approach helps filter out automated bots and reduce the likelihood of security system detection. By using Cloudflare Turnstile, PaaS platforms can maintain a higher level of stealth and increase their phishing campaigns’ success rates, ensuring that the collected data is from actual users rather than automated defenses. PaaS platforms such as Greatness, Tycoon2FA, DadSec, ONNX, and RaccoonO365 also integrate the CloudFlare turnstile service to authenticate that links are legitimately clicked by humans.
Figure 4: A Tycoon2FA phishing attack chain where the user is directed to a CAPTCHA landing page and then to a final landing page used by the attackers to harvest credentials. In the background, this phishing kit steals session tokens to be used later by the threat actors.
- Code Obfuscation: This feature helps attackers hide malicious content within emails, websites, and scripts making detection by security systems more difficult. Methods such as Base64 encoding or a more complex obfuscation are used to disguise URLs and scripts, while HTML and JavaScript obfuscation conceal harmful code, making it more difficult for security tools to perform static analysis.
Figure 5: Sample of obfuscation technique used by Interac’s phishing landing page.
- Tutorials and Support: PaaS platforms often provide detailed guides, video tutorials, and real-time support via Signal, Telegram, underground forums, and other channels. These resources help users set up phishing campaigns, troubleshoot issues, and optimize tactics, making the platform accessible to both novice and experienced attackers.
Figure 6: The FishProxy PaaS has a documentation, tutorials, and support included in their service.
- Subscription Model:MostPaaS platforms operate on a tiered subscription model, offering different pricing levels with varying features and support options. Subscriptions can vary in duration and the geographic scope of the phishing campaign. Payments are typically made in cryptocurrencies like Bitcoin to ensure anonymity and security for both the platform and its users.
Figure 7: Subscription model of RaccoonO365 as advertised on their Telegram channel.
- Bulletproof Hosting Service: PaaS platforms such as ONNX offer bulletproof hosting to keep phishing operations running without disruption from takedowns. These services often include remote desktop protocol (RDP) access for secure and efficient campaign management.
Recent Phishing-as-a-Service Platforms
This section provides an overview of PaaS platforms that have been active over the past year. Each platform is outlined with details on its observed date, primary function, key features, impact, subscription model, and anti-detection measures, offering insight into how these services continue to challenge security efforts across various sectors.
- W3LL Panel
%2c%20and%202023%20version%20(bottom)..jpg?width=600&height=384&name=Figure%208.%20Two%20versions%20of%20the%20panel.%202019%20version%20(top)%2c%20and%202023%20version%20(bottom)..jpg)
Figure 8: Two versions of the panel. 2019 version (top), and 2023 version (bottom).
|
Observed Date |
Active since 2017, this platform initially started with tools such as the W3LL SMTP Sender and has evolved into a comprehensive phishing platform. |
|
Primary Function |
Offers a suite of tools for business email compromise (BEC) attacks, including the W3LL Panel, which is designed to bypass MFA and compromise corporate accounts. |
|
Subscription Model |
Operates a marketplace with a reseller program, though pricing details are not publicly available. The platform is used by over 500 threat actors. |
|
Target Platforms |
Focuses primarily on Microsoft 365 accounts in sectors such as finance, IT, healthcare, and legal services. |
|
Impact |
Has compromised over 8,000 Microsoft 365 accounts and was involved in 850 phishing attacks affecting more than 56,000 accounts. |
|
Ease of Use |
Features a wide range of tools appealing to cybercriminals of all skill levels, including SMTP senders, phishing kits, vulnerability scanners, and tools to automate account discovery. |
|
Techniques |
Leverages AiTM tactics to bypass MFA, along with source code protection and anti-bot measures to evade detection. |
|
Anti-Detection Measures |
Employs source code obfuscation and anti-bot functionality to protect phishing campaigns from detection and takedown efforts. |
- EvilProxy
Figure 9: EvilProxy PaaS as advertised on underground forums.
|
Observed Date |
First observed in May 2022, when threat actors released a demonstration video showcasing its capabilities. |
|
Primary Function |
A reverse proxy platform designed to bypass MFA by intercepting and stealing session tokens using techniques like cookie injection. |
|
Subscription Model |
Available via subscription, starting at US$400 per month, with higher costs for premium targets including Google accounts, handled through Telegram. |
|
Target Platforms |
Clones login pages for platforms such as Google, Apple, Microsoft, Facebook, GitHub, Dropbox, and Twitter, among others. |
|
Impact |
Enables threat actors to bypass MFA and conduct account takeovers, including high-risk attacks on Fortune 500 companies and supply chain operations. |
|
Ease of Use |
Designed with a user-friendly graphical user interface (GUI), it offers detailed tutorials and step-by-step guides, making it accessible to even low-skill attackers. |
|
Techniques |
Uses reverse proxy and cookie theft to capture login credentials and bypass two-factor authentication(2FA)/MFA protections, allowing attackers to hijack authenticated sessions. |
|
Anti-Detection Measures |
Includes anti-VM, automation detection, and bot protections to evade detection by security researchers and automated systems. |
- Caffeine
Figure 10: Caffeine Homepage. Source: Google Cloud Blog.
|
Observed Date |
Discovered in March 2022 by Mandiant during an investigation of a large-scale phishing campaign. |
|
Primary Function |
An open-registration PaaS platform that allows cybercriminals to launch phishing campaigns without referrals or admin approval, making it easily accessible. |
|
Subscription Model |
Pricing starts at US$250 per month and goes up to US$850 for six months. It includes anti-detection features, campaign customization tools, and customer support. |
|
Target Platforms |
Primarily targets Microsoft 365 accounts and offers phishing templates for use against Russian and Chinese targets. |
|
Impact |
Facilitates the exploitation of compromised web infrastructures enabling attackers to stealthily host phishing campaigns on legitimate sites, making detection more difficult and increasing the scale and impact of attacks. |
|
Ease of Use |
The dashboard features a self-service interface, allowing users to customize phishing kits, manage intermediary and final-stage pages, and track email campaigns in real-time. |
|
Techniques |
Provides dynamic URL generation, IP blocklisting, and allows phishing email template customization for specific targets, making it harder to detect. |
|
Anti-Detection Measures |
Includes anti-detection and anti-analysis features and offers customer support to assist attackers. |
- ONNX
|
Observed Date |
First observed in February 2024, during phishing campaigns targeting financial institutions. |
|
Primary Function |
A phishing platform targeting Microsoft 365 accounts through QR codes embedded in PDF attachments to bypass traditional email phishing protections and capture credentials. |
|
Subscription Model |
Offers multiple tiers starting from US$150 per month for basic webmail services and up to US$400 per month for a 2FA cookie-stealing service. |
|
Target Platforms |
Primarily targets Microsoft 365 and Office 365 accounts in the financial sector, using lures like HR emails with salary updates. |
|
Impact |
Enables attackers to bypass MFA, stealing credentials and MFA tokens in real-time, leading to account compromise and potential exfiltration of sensitive data. |
|
Ease of Use |
Operates through Telegram bots, providing a user-friendly interface for phishing operations management and client support. |
|
Techniques |
Uses QR code phishing (quishing) to redirect victims to spoof Microsoft 365 login pages, capturing login credentials and 2FA tokens. |
|
Anti-Detection Measures |
Utilizes Cloudflare services for domain protection, encrypted JavaScript for page obfuscation, and bulletproof hosting to prevent takedowns and ensure uninterrupted phishing operations. |
- LabHost
Figure 11: LabHost live panel.
|
Observed Date |
Active in Q4 2021, LabHost emerged as a significant PaaS platform that initially targeted three Canadian banks. |
|
Primary Function |
Provided phishing kits and infrastructure to launch phishing campaigns, targeting users of banks, postal services, and other high-profile services. It offered real-time management through the LabRat tool for bypassing 2FA. |
|
Subscription Model |
Offered tiered subscriptions that started at US$179 per month for the Standard plan, while the Premium and World Membership tiers reached US$300 per month. These plans offered varying levels of phishing page hosting and campaign features. |
|
Target Platforms |
Primarily targeted financial institutions in Canada, the US, and the UK, as well as other services including Spotify and DHL. |
|
Impact |
Was involved in over 40,000 phishing domains and served 10,000 users, leading to the theft of 480,000 credit card numbers, 64,000 PINs, and over 1 million passwords. Estimated to have generated over US$1.1 million in subscription fees. |
|
Ease of Use |
Simplified phishing with automated hosting and page generation, allowing even unskilled criminals to conduct sophisticated attacks. The LabRat tool enabled attackers to intercept 2FA tokens in real time. |
|
Techniques |
Used proxying techniques to bypass 2FA and provided phishing templates for a wide array of targets, including financial services and personal data collection. |
|
Anti-Detection Measures |
Encrypted scripts to avoid detection by security systems. |
|
Takedown |
LabHost was taken down by law enforcement in a global operation in April 2024, coordinated by Europol and involving 19 countries. Thirty-seven suspects were arrested and 40,000 phishing domains were disrupted. |
- Interac Panel
Figure 12: Interac phishing page template.
|
Observed Date |
First observed in June 2024, right after LabHost's takedown. |
|
Primary Function |
Interac PaaS is designed to facilitate phishing campaigns targeting Canadian financial institutions and other service sectors, such as tech and logistics. |
|
Subscription Model |
Free trial. Currently, no subscription plan is offered. |
|
Target Platforms |
Focuses on Canadian institutions and provides templates targeting brands such as BMO, National Bank of Canada, HSBC, ScotiaBank, Laurentian, Manulife, Meridian, MotusBank, RBC, Canada Post, DHL, FedEx, and Amazon. |
|
Impact |
Enables cybercriminals to conduct large-scale phishing campaigns, including bypassing MFA, affecting Canadian businesses and the general public. |
|
Ease of Use |
Comes with a user-friendly interface and real-time control and OTP panels, card checker, page generator and deployment tool, and an email flooding feature, making it easy for users to manage phishing operations, track results, and capture sensitive information. |
|
Techniques |
Provides pre-designed phishing page templates and unlimited access to phone numbers for SMS lures, which can increase the efficiency of campaigns. |
|
Anti-Detection Measures |
Code obfuscation on phishing pages. |
- Greatness PaaS
Figure 13: Greatness PaaS admin panel.
|
Observed Date |
First observed in mid-2022, the Greatness platform began targeting businesses using Microsoft 365. |
|
Primary Function |
Greatness allows affiliates to generate phishing pages that mimic Microsoft 365 login pages, auto-filling victims' email addresses to add authenticity. It targets the healthcare, manufacturing, and technology sectors. |
|
Subscription Model |
The platform is available via subscription starting at US$120 per month, payable in cryptocurrency. It features IP filtering, MFA bypass, and session cookie theft. |
|
Target Platforms |
Primarily targets Microsoft 365 users, with organizations across the US, UK, Canada, and Australia. |
|
Impact |
It enables attackers to bypass MFA and steal session cookies, granting access to victims' Microsoft 365 accounts. We have seen spikes in Greatness’ activity in December 2023 and March 2024. |
|
Ease of Use |
Greatness comes with a phishing kit and an API that affiliates can deploy with minimal technical expertise. The service provides real-time updates on the status of captured credentials and session cookies via Telegram bots. |
|
Techniques |
Greatness uses man-in-the-middle (MITM) attacks to intercept and authenticate victims' credentials and MFA tokens, sending this data back to affiliates for account takeover. |
|
Anti-Detection Measures |
It employs obfuscation and encoding techniques to evade detection by security tools, including randomized headers and hidden phishing URLs in HTML attachments. |
- DadSec
Figure 14: DadSec empty admin panel.
|
Observed Date |
First observed in July 2023, DadSec has rapidly grown as a prominent PaaS platform targeting Microsoft 365 users. |
|
Primary Function |
DadSec facilitates advanced AiTM attacks, allowing affiliates to bypass MFA and capture session cookies enabling unauthorized access to Microsoft 365 accounts. |
|
Subscription Model |
Offers a subscription model priced at US$500 per month, giving access to a fully customizable phishing panel, complete with anti-bot features and the ability to integrate with Telegram for real-time updates. |
|
Target Platforms |
Primarily targets Microsoft 365, with a focus on global organizations, especially in the finance, education, and healthcare sectors. |
|
Impact |
Enables attackers to steal credentials and bypass MFA protections, with observed phishing campaigns affecting organizations in the US and Europe. |
|
Ease of Use |
Features a user-friendly control panel with options for theme customization, IP blocking, and anti-bot measures, making it accessible to skilled and unskilled threat actors. |
|
Techniques |
Leverages quishing and CAPTCHA evasion techniques using Cloudflare Turnstile to mask the true nature of phishing links and intercept session cookies. |
|
Anti-Detection Measures |
Uses PHP code obfuscation and Cloudflare protection to evade detection and prevent takedowns, ensuring the long-term viability of phishing campaigns. |
- Tycoon2FA
Figure 15: Tycoon2FA admin panel.
|
Observed Date |
Sekoia first observed Tycoon2FA's widespread use in phishing campaigns in August 2023. |
|
Primary Function |
Tycoon2FA enables attackers to bypass MFA using AiTM techniques. It targets Microsoft 365 and Gmail, harvesting session cookies for unauthorized access. |
|
Subscription Model |
Subscriptions are sold via Telegram, with prices starting at US$120 for 10 days of access to phishing templates and the PaaS infrastructure. |
|
Target Platforms |
Focuses on Microsoft 365 and Gmail accounts used across industries such as finance, tech, and cloud services. |
|
Impact |
Tycoon 2FA has been linked to over 1,200 domains and is frequently used in large-scale phishing attacks that bypass MFA protections. |
|
Ease of Use |
Features pre-built phishing templates and automated tools, allowing even unskilled attackers to launch sophisticated phishing campaigns. |
|
Techniques |
Uses Cloudflare Turnstile to evade detection, JavaScript WebSockets for data exfiltration, and obfuscation techniques to evade security tools. |
|
Anti-Detection Measures |
Enhanced in February 2024 with updates to its obfuscation techniques, including Base64 encoding, XOR operations, and filtering to block bot traffic and analysis tools. |
- RaccoonO365
Figure 16: RaccoonO365 as marketed on Telegram.
|
Observed Date |
First identified in May 2024 as an evolution of the Tycoon2FA platform. |
|
Primary Function |
RaccoonO365 targets Microsoft 365 and Outlook (Hotmail) users, primarily through phishing kits that bypass MFA and capture session cookies. |
|
Subscription Model |
Available on a subscription basis via Telegram, with tiered pricing for access to phishing templates, dynamic URL generation, and cookie-stealing functionality. |
|
Target Platforms |
Focuses on Microsoft 365 and Outlook (Hotmail) accounts, particularly targeting business users and enterprises that rely on cloud services. |
|
Impact |
Involved in large-scale campaigns targeting Microsoft 365 users, with over 700 phishing domains identified as part of the RaccoonO365 infrastructure. |
|
Ease of Use |
Features pre-configured phishing kits with real-time data exfiltration, making it accessible to attackers with varying skill levels. |
|
Techniques |
Uses advanced obfuscation techniques like Base64 encoding and XOR operations for JavaScript, along with session cookie hijacking to bypass MFA protections. |
|
Anti-Detection Measures |
Employs Cloudflare Turnstile for CAPTCHA evasion, and advanced filtering mechanisms to block bot and security traffic, improving the longevity of phishing campaigns. |
- FishXProxy
Figure 17: FishXProxy templates that can be used by threat actors for launching phishing campaigns.
|
Observed Date |
First identified in mid-2024. |
|
Primary Function |
Provides a powerful reverse proxy tool for phishing campaigns, offering features including auto installation, traffic encryption, Cloudflare integration, and unlimited domain generation to enhance stealth and efficiency. |
|
Subscription Model |
The toolkit is available for subscription via Telegram starting at US$200 for the basic package, to US$5,000 for the enterprise package. |
|
Target Platforms |
Primarily targets email providers and financial institutions. |
|
Impact |
The phishing kit has been linked to hundreds of phishing campaigns, with the potential to increase the overall volume of sophisticated phishing attacks due to its accessibility and user-friendly features. |
|
Ease of Use |
Lowers the barrier to entry for attackers by automating several aspects of the phishing process, including SSL provisioning, domain management, and traffic redirection. |
|
Techniques |
Uses HTML smuggling to deliver malware, Cloudflare Workers for distributing phishing logic, and cookie-based cross-project tracking to optimize and personalize phishing campaigns. |
|
Anti-Detection Measures |
Uses anti-detection techniques such as traffic encryption, browser red flag detection bypass, antibot solutions, and Cloudflare integration to evade detection and optimize phishing campaign effectiveness. |
- V3B Panel
Figure 18: The V3B demo panel, showcasing the phishing results of a campaign targeting banking customers in France.
|
Start Date |
V3B was launched in March 2023 by a cybercriminal group known as "Vssrtje." |
|
Primary Function |
V3B is designed to target customers of 54 European financial institutions by mimicking banking and online payment systems. It also supports PhotoTAN and quishing to capture credentials. |
|
Subscription Model |
Available via Telegram for a monthly subscription, ranging from US$130 to US$450 depending on the feature set, and includes support for customized phishing templates. |
|
Target Platforms |
Focuses on banking customers across Europe, including institutions in countries such as Ireland, Germany, France, and the Netherlands. |
|
Impact |
V3B has been used in large-scale phishing campaigns targeting hundreds of thousands of customers, intercepting login credentials and one-time passwords (OTPs) to facilitate fraud. |
|
Ease of Use |
Features a customizable control panel (uPanel) allowing attackers to engage with victims, capture OTPs, and tailor phishing pages for specific banks. |
|
Techniques |
Uses credential interception, QR code and PhotoTAN methods to bypass advanced security measures like MFA, making it a significant threat in the EU banking sector. |
|
Anti-Detection Measures |
Employs JavaScript obfuscation and encrypted phishing pages to evade detection by security teams, with support for Cloudflare integration for added stealth. |
So, Why do Cybercriminals Love Phishing-as-a-Service?
PaaS is preferred by malicious actors because it makes phishing easy and accessible, even for those without much tech know-how. These platforms are relatively cheap, can be scaled up quickly, and are regularly updated to avoid detection. They also help criminals stay anonymous, offer custom options, and provide support, allowing malicious actors to run large phishing attacks with little effort.
Mitigating Phishing Attacks
Here are a few strategies organizations can use to remain protected against phishing attacks:
- Train Employees Regularly
Keep employees updated on phishing tactics like spear phishing and whaling, where attackers pose as senior executives. Run simulated phishing tests to help them spot suspicious emails and avoid traps.
- Use MFA with Extra Layers
MFA provides an additional layer of security on top of passwords, but remains vulnerable to AiTM attacks. To enhance protection against phishing attacks that bypass MFA, consider phishing-resistant options like FIDO2 and implement measures such as conditional access, continuous authentication, and session monitoring.
- Boost Email Security
Install email filters to catch phishing attempts by scanning for malicious attachments, bad links, and spoofed addresses. Tools like Trustwave MailMarshal provide layered protection against email-based threats, capturing all forms of threats to protect an environment and reduce the burden on security teams.
- Monitor the Dark Web
Stay on top of what’s happening on Telegram and the Dark Web by tracking phishing kits and other tools. This keeps your security team updated on new threats and ready to adjust defenses.
- Use Proactive Threat Intelligence
Partner with cybersecurity firms and government agencies to stay ahead of phishing trends. Threat intel can help you predict new attack methods and update your defenses before attackers strike.
- Verify Financial Transactions
Set up stricter checks for large financial transactions, like multi-step approvals or confirming requests through another communication channel, to stop phishing attacks that target finance teams.
- Perform Regular Security Audits
Frequently review your security systems to identify potential vulnerabilities that phishing attacks might target, including web servers and any internet-facing devices.
References
- W3LL Phishing Kit Targets Microsoft 365 Accounts | Decipher (Duo)
- W3LL oiled machine: Group-IB uncovers covert BEC phishing empire targeting Microsoft 365 | (Group-IB)
- EvilProxy Phishing-as-a-Service Platform Bypasses MFA Mechanisms | Sensors Tech Forum (Sensors Tech Forum)
- Caffeine: A ‘Readily Accessible’ Phishing-as-a-Service Platform | Decipher(Duo)
- ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institutions | EclecticIQ (EclecticIQ Blog, BleepingComputer)
- Europol: International Investigation Disrupts Phishing Service Platform LabHost(Europol)
- LabHost Phishing Service with 40,000 Domains Disrupted |(BleepingComputer)
- Interac Telegram Channel | (Telegram)
- Trustwave SpiderLabs Detects Spike in Greatness Phishing Kit Attacks | (Trustwave)
- Greatness Phishing-as-a-Service Targets Microsoft 365 | (Duo)
- DadSec PaaS: QR Codes and AiTM Phishing | (eSentire)
- Breakdown of Tycoon Phishing-as-a-Service System | (Trustwave)
- Tycoon PaaS Evolves to RaccoonO365 | (ig3thack3d4u.com)
- FishXProxy Lowers Entry Bar for Cyberattacks | (SiliconAngle)
- Cybercriminals Attack Banking Customers in EU | (Resecurity)