Hackers now using phishing-as-a-service to target enterprises: Akamai

Hackers now using phishing-as-a-service to target enterprises: Akamai
Photo Credit: Pixabay
5 Nov, 2019

Cybercriminals are now gaining access to enterprise data using phishing-as-a-service (PHaaS) and attack some of the world’s top companies, says a report by global cloud computing provider,  Akamai.

Microsoft, PayPal, DHL and Dropbox account for as many as 42.63 % of domains targeted using PHaaS. 

PHaaS is a method by which hackers get in touch with organised criminal groups on the dark web who offer phishing services. Just like how software-as-a-service or SaaS has reduced software ownership costs and made its adoption easier, PHaaS has made phishing less labour-intensive and more organised.

Phishing is also not restricted to emails anymore and has now expanded to social media and mobile devices. This has further evolved into business email compromise (BEC) attacks.

These attacks have stung enterprises, with BEC attacks leading to global losses of close to $12 billion, according to data from the Federal Bureau of Investigation. 

"We expect we will have adversaries continuously going after consumers and businesses alike until personalised awareness training programs and layered defense techniques are put in place," said Martin McKeay, Editorial Director of the State of the Internet/Security report for Akamai.

Deep technology is the most targeted sector with over 6,035 domains and 120 kit variations, followed by the financial services sector, with 3658 and 83 kit variants. Ecommerce and the media verticals came in at third and fourth places on the list, according to Akamai’s 2019 State of the Internet/ Security Phishing: Baiting the Hook report. 

Microsoft, with 21.88 of total domains attacks, was the most targeted company followed by Paypal and DHL with 9.37% and 8.79% of the attacks respectively.

The hackers have also reduced the activity period of each attack to 20 days, with 60% of the phishing kits being active for 20 days or less, in order to minimise detection and improve chances of evasion.

“The style of phishing attacks is not one size fits all; therefore, companies will need to do due diligence to stay ahead of business-minded criminals looking to abuse their trust," added McKeay.