Want to get into the social engineering game? It is becoming a whole lot easier. For $300 a month, Microsoft says, you can purchase a phishing kit to start becoming a seasoned social engineer. That’s less than ten dollars a day!

A threat actor known as DEV-1101 has been selling adversary in the middle (AiTM) phishing kits since last summer. The group started selling the kits on Telegram for $100 a month but have increased their prices as they have added features to the kits, such as letting customers manage campaigns from mobile devices, as well as an increase in demand for the kits.

In an AiTM phishing attack, cyber actors deploy a proxy server between a target user and the website the user wishes to visit (or the site the attacker is trying to impersonate). This setup allows an actor to steal and intercept the target’s password and the session cookie that proves their ongoing and authenticated session with the website. In short, the attacker is able to steal the credentials and the second-factor code. Here is a look at how the attack works:

  1. A user puts their password into a phishing site
  2. The phishing site proxies the request to the actual website
  3. Website returns an MFA page
  4. Phishing site proxies the MFA page to the user
  5. User inputs the second factor authentication code
  6. Phishing site proxies the actual website with the request
  7. Website returns a session cookie granting the attacker access
  8. Phishing site redirects the user to another page

Kits allow attackers to launch phishing campaigns with millions of emails. Phishing remains the most common form of cybercrime and the use of stolen credentials is the most common cause of data breaches. Simply, phishing works. It’s cheap, and it is effective.

These types of phishing kits significantly lower the barrier to entry when it comes to phishing. And they are just the tip of the spear. Advances in technology have made it much easier to develop a phishing campaign. Readily available digital graphics, the proliferation of personal information available freely online, and phishing kits make developing robust social engineering attacks much easier.

The meteoric rise of generative artificial intelligence tools such as ChatGPT and DALL-E, will make spearphishing much more difficult to spot. One example of this would be language. A telltale sign of phishing is the stunted English attackers often use in these campaigns. With the aid of AI tools, creating language to help attackers craft realistic spearphishing emails will become easier.

If we add in synthetic media, such as deepfake audio and video, creating business email compromise (BEC) attacks, in which an attacker tricks an employee into changing a bank account number or wiring funds to an attacker, becomes much simpler and much harder to identify. One can easily imagine an attacker using a deepfake voice of an executive to trick an employee into changing critical information or wiring money to an attacker.

In the past several years, we have seen cyber attackers become less territorial about their tools. There has been a proliferation of an “as a service” model. This has been widely seen in the ransomware market. Ransomware groups have begun selling their tools for a portion of the profits rather than performing the attacks themselves. These groups sell their tools to “affiliates.”

Affiliates are any person with the desire to seek out the services on the dark web. Armed with nothing more than a device and a TOR browser, a person can become a ransomware affiliate and get in on the fun. These ransomware as a service (RaaS) kits can consist of customer service support, bundled offers, user reviews, forums, and other features.

Protecting your organization from these types of kits is a constant battle on two fronts. The first is the network. The second is the end user.

Let’s start with the network. How does one protect the network from an increasing number of ransomware and spearphishing attacks?

Segment Your Network: It is important to adopt the principle of least privilege. Users should only have access to the data that they need to complete their work. An organization must understand the type of data it holds, that data criticality, and how that data flows throughout the network. Developing a data blueprint can aid in this task. This gives an organization a view of the data flowing throughout the network, which makes ranking the data based on criticality and segmenting the network based on least privilege a much more manageable task.

Audit Credential Exposure: Reduce administrative privileges as much as possible. Ensure that you have a process for removing users after they have been terminated or have left the organization. Also ensure you are monitoring East-West traffic inside of the network. North-South traffic is the traffic coming in and out of the network, but it is also important to monitor the East-West traffic, or the movement of users throughout the network. Reviewing audit logs periodically is essential. Monitoring tools can aid in this as well as alert stakeholders when there are anomalies.

Invest in Advanced Anti Phishing Solutions: Utilize tools that monitor and scan incoming emails and visited websites. These tools can automatically identify and block malicious websites including those used in phishing campaigns and solutions that detect and block malicious emails, links, and files.

When it comes to the human firewall?

Increase Employee Awareness Training and Testing: Most organizations utilize some sort of employee awareness training or testing platform. But these platforms can often be stale or static. It is important to have ENGAGING employee awareness training and testing. Make sure it is also current and highlights new attack vectors and tools such as the use of synthetic media or deepfakes. Higher profile executives, or those that handle sensitive or financial information, should receive additional training to highlight the increased risk they face.

Layered Human Firewall Protection: When it comes to Business Email Compromise (BEC) one person should not have the power, alone, to change important financial information such as an employee’s bank account information or the routing number to a wire transfer. These changes should require ATLEAST two people to sign off on them, if not three. This will help alleviate the chances that someone makes a mistake, and a fraud occurs.

Better Multifactor Authentication (MFA): While using a SMS-based multifactor authentication is better than using no MFA, there are still far superior options. An authentication app, such as Google Authenticator, helps to remove the risk of SIM swapping attacks (where an attacker can get a person’s smartphone changed over to a device they control). A hardware key, such as a YubiKey, is the best option when it comes to MFA. This is a token that is physically on the person of a user and helps dramatically lower the risks that someone can break into a user’s account.

It is going to become increasingly simple for anyone with the desire to do so to deploy phishing, spearphishing, ransomware, and BEC attacks. This lower bar for entry will require greater diligence by organizations to ensure they are doing what they can to protect their networks and their end users. Staying ahead of the threat is manageable, but it will require persistence.