Phishing-as-a-service has democratised cyber crime by making phishing tools and methods commercially available to everyone all over the world, for as little as $80 (R1 500).
This was the word from Almero Steyn, CTO and CISO of Integralis IT Consultancy, speaking yesterday at ITWeb Security Summit 2024, in Johannesburg.
Discussing how crime-as-a-service has evolved over the years, Steyn pointed out there has been significant maturity in the threat landscape, not only in the easy access of phishing tools available online and on the Dark Web, but also in the advancement of the tools making their way into the hands of threat actors.
A trend that is increasingly gaining momentum is intentional insider threats, where employees sell valuable data to a third-party, or provide them with access to the company’s internal systems for a fee of anywhere between $80 and $300, he noted.
“Governing access in your business with proper identity controls has never been more important. In the African context, $300 holds significant allure, capable of swaying even the most loyal employee on the service desk or call centre.
“This seemingly modest sum becomes tempting bait for individuals to compromise their credentials, opening the floodgates to unauthorised access and compromising your organisation's security.”
He emphasised the critical role of identity governance in safeguarding against such breaches, through implementing robust identity controls which bolster systems against external threats.
“Phishing-as-a-service allows somebody to pay a fee for a subscription to access cyber crime tools, or an organisation’s systems, for three to 30 days. In the past, cyber criminal vendors offered this service on the Dark Web; today, it is available anywhere, and sellers could be anyone, including trusted employees.”
The trend has transformed cyber criminals into service providers, and also turned ordinary people who purchase the service into cyber criminals, he continued.
It allows them to access valuable information within the organisation, including company accounts, mailboxes, systems and databases with sensitive customer data – and the repercussions will be felt across a multitude of applications, he warned.
“The biggest problem our customers experience is when they have internal people selling access to their systems to an outsider. We have an agent at our client’s service desk here in South Africa who sold access for less than R5 000.
“One of the best ways of fortifying a company’s defences – apart from multi-factor authentication and zero-trust frameworks – is to make sure people have good governance in place. This includes knowing who is granted access, and during which times and what devices are used to authenticate.
“Organisations should make sure these employees only have access to the systems they need, when they need them, by using practical tools that are vendor-agnostic.”
Share