Consider a scenario where a customer of a reputable financial institution receives an email that appears to be a routine account update, complete with a QR code for easy verification. Trusting its legitimacy, the customer scans the code with their mobile phone but instead of reaching a secure site, they fall victim to a “quishing” attack orchestrated through Phishing-as-a-Service (PhaaS).
This article explores the impact of PhaaS on email security in the financial sector, detailing the evolving threat landscape and offering robust defensive strategies.
Overview
Phishing-as-a-Service platforms provide comprehensive tools for executing phishing attack campaigns and offer subscription-based access to customizable email templates including hosting for malicious websites, and customer support. These platforms make it significantly easier for attackers to exploit email communications within the financial sector.
PhaaS Tactics & Resources
Phishing-as-a-Service platforms, such as "Robin Banks" and "Tycoon 2FA," employ a variety of sophisticated tactics to deceive victims, including:
Customizable Phishing Email Templates
These platforms offer a wide range of convincing email templates that mimic legitimate communications from financial institutions, making it easier for attackers to craft deceptive emails.
Real-Time Phishing Campaign Dashboards
Attackers can monitor the success of their phishing campaigns in real time, adjusting their tactics based on the effectiveness of different strategies.
Advanced Cybersecurity Evasion Techniques
Mechanisms like reCAPTCHA and User Agent string checking are used to avoid detection by automated security systems.
User-Friendly Interfaces
Despite the complex nature of these cyberattacks, PhaaS platforms provide user-friendly interfaces, making them accessible even to those with minimal technical knowledge.
Statistics and Trends
Increase in Phishing Attacks
Phishing attacks surged by 58% in 2023 compared to the previous year, driven by the availability of advanced PhaaS kits and the use of generative AI to create more convincing phishing scams.
Phishing-as-a-Service Adoption
PhaaS platforms have significantly lowered the entry barriers for cybercriminals. For example, "Robin Banks" provides ready-made phishing kits targeting major financial institutions globally, leading to a notable increase in phishing incidents in the financial sector.
High-Risk Industry
The finance and insurance industry faced 27.8% of overall phishing attacks, marking the highest concentration among industries and an increase of 393% year-over-year.
Impact of the "Robin Banks" Platform
Financial institutions have recently been targeted by the so-called “Robin Banks” Phishing-as-a-Service attack platform, delivering its payload through text messages and emails. IronNet researchers discovered the Robin Banks syndicate providing ready-made phishing kits primarily targeting U.S.-based financial companies as well as numerous companies in the U.K., Canada, and Australia. Among the targets are major U.S. banks such as Bank of America, Wells Fargo, Capital One, and Citigroup.
Since March 2022, threat actors have become more proactive with Robin Banks using sophisticated phishing kits that offer users access to personal dashboards, wallet management, page creation, and mechanisms like reCAPTCHA and User Agent string checking. These features make Robin Banks' kits more sophisticated yet easier to use compared to other phishing kits like BulletProftLink and 16Shop.
ONNX Store Campaign
The ONNX Store campaign represents another significant threat to financial institutions, leveraging sophisticated phishing techniques to breach email communications. The campaign is notable for its ability to deploy multiple phishing vectors, including spear-phishing emails, to compromise financial networks and exfiltrate sensitive data.
ONNX Store's campaign targeted high-profile financial institutions with well-crafted phishing emails that appeared legitimate, tricking recipients into providing their login credentials and other sensitive information. The campaign utilized advanced techniques to bypass traditional email security measures, such as:
Multi-Stage Attacks
ONNX Store employed multi-stage phishing attacks, where initial emails contained benign content to build trust, followed by malicious emails targeting specific employees.
Credential Harvesting
The phishing emails were designed to harvest login credentials by redirecting victims to counterfeit login pages that closely resembled legitimate banking portals.
Advanced Social Engineering
ONNX Store used sophisticated social engineering techniques to personalize emails, making them appear as though they were sent from trusted colleagues or business partners.
Malicious Attachments
The campaign also included emails with malicious attachments that, once opened, deployed malware capable of capturing keystrokes, screenshots, and other sensitive information.
These advanced techniques made the ONNX Store campaign particularly effective at infiltrating financial institutions and extracting valuable data.
Four Layers of Defense Against PhaaS Campaigns
Advanced defense layers to complement existing email security solutions have become an integral part of a comprehensive cybersecurity strategies worldwide. This approach is the best way to mitigate phishing attacks as different kinds of technologies can spot various indicators of phishing attempts.
For example, instead of just relying on a single or few antivirus engines, a robust email security posture needs to be composed of multiple anti-virus engines and detection technologies that have different specialties and techniques.
Real-Time Anti-Phishing
This solution employs advanced machine learning and heuristic analysis to detect and block phishing attempts instantly, ensuring malicious emails are intercepted before reaching users.
OPSWAT Real-Time Anti-Phishing has a 99.98% detection rate for spam and phishing attacks, examining email content, sender reputation, and URL patterns to ensure malicious emails are identified and do not persist through the system to end users. With over 30 sources for link reputation checks and time-of-click analysis, Real-Time Anti-Phishing significantly reduces the risk of successful phishing attacks.
Multiscanning
This email defense layer addresses the cybersecurity risks of complex and interconnected networks by utilizing a combination of several antivirus engines, enhancing the detection rates by over 99% compared to single-engine solutions. OPSWAT Multiscanning reduces the window of exposure to new and emerging threats by leveraging the strengths of multiple engines.
Deep Content Disarm and Reconstruction (CDR)
This technology sanitizes all incoming email content, stripping out potentially malicious elements like embedded scripts and macros in attachments - even in seemingly harmless QR codes.
OPSWAT Deep CDR works by disassembling and rebuilding files to remove any harmful components, ensuring safety while preserving usability. This technology is highly effective, with over 1,000 files verified against spoofed and complex attacks. Additionally, Deep CDR checks and protects more than 170 file types, significantly reducing the risk of zero-day attacks and other advanced threats.
Real-Time Adaptive Sandbox
Real-time sandboxing isolates files from other system resources so they can be safely examined for malicious behavior. This technology is particularly effective for detecting unknown malware.
OPSWAT Real-Time Adaptive Sandbox operates 10 times faster than traditional sandboxes and is 100 times more resource-efficient than other sandboxes.
Strategic Email Security Implementation
To effectively counter the threats posed by Phishing-as-a-Service and quishing, financial institutions must implement a focused, robust email security strategy:
- Comprehensive Email Risk Assessment: Perform regular assessments to identify vulnerabilities and gaps in the existing cybersecurity infrastructure.
- Enhanced Email Gateway Security: Strengthen email gateways, both on-premises and in-cloud (incl. Microsoft 365), with multi-layered security that includes Real-Time Anti-Phishing, Multiscanning, Deep CDR, and a Real-Time Sandbox to prevent phishing emails from entering the network.
- Continuous Security Updates: Regularly update security protocols and definitions to adapt to new phishing techniques and evolving threats.
As Phishing-as-a-Service continues to evolve, using increasingly deceptive techniques like quishing, it is imperative for financial institutions to enhance their email security practices.
By understanding the sophisticated nature of Phishing-as-a-Service and implementing cutting-edge defensive technologies, financial institutions can mitigate risks and protect against the ever-changing landscape of email-based cyber threats.
Strengthening email security is not just a technical necessity but a critical strategy to maintain trust and integrity in the digital age.
Next Steps
- Stop phishing with MetaDefender Email Security
- Assess your email security
- Try OPSWAT MetaDefender Email Security
- Learn about QR code phishing (quishing)
