Understanding Digital Attackers’ Appropriation of the “As a Service” Model


Recently, I wrote about Microsoft’s discovery of a new phishing-as-a-service (PhaaS) offering called “BulletProofLink.” PhaaS functions similarly to Ransomware-as-a-Service (RaaS), the tech giant explained, in that it follows the Software-as-a-Service (SaaS) model. Someone needs to develop infrastructure that buyers can use to stage their own attacks. In the case of PhaaS attacks, malicious actors pay for hosted phishing links and pages so that they can receive the stolen credentials later. That stands in contrast to RaaS operations where attackers gain direct access to compromised devices.

Why Digital Crime Is Turning to SaaS

According to IBM, the SaaS model brings several benefits to customers—even those that have nefarious ends in mind. Those advantages are as follows:

  • Reduced time to benefit: It’s not the customer’s responsibility to install and configure the software on their own. All they need to do is provision the server for an instance in the cloud. This saves customers time that they would otherwise need to spend on deploying the software. That also goes for attackers, who can just start using the software to ensure a higher success rate of their attacks.
  • Lower costs: Software sits within a shared or multi-tenant environment, which brings down the associated software and hardware costs as well as the maintenance fees. These savings trickle down to the customer. If criminals can just rent out access to ransomware or a phishing service, they can save more of their funds for conducting attacks.
  • Scalability and integration: Customers don’t need to buy additional servers or software to scale their solutions. All they need to do is enable a new SaaS offering that’s owned by the provider as their needs evolve. It’s therefore easy for attackers to scale up their malicious activity without consuming more of their monetary resources.
  • New releases (upgrades): The SaaS provider is responsible for upgrading their solution, at which point a new version becomes available to their customers. It’s not the responsibility of the customers to purchase upgrade packages and/or support services so that they can install it. As such, attackers get the best and brightest features that they can use to evade organizations’ defenses.
  • Easy to use and perform proof-of-concepts: SaaS offerings give customers the option of testing new functionality or release features in advance. They can also have one instance with different versions. These possibilities allow attackers to customize their efforts, making it possible for even those with limited technical experience to launch their own attack campaigns.

These benefits help to explain why attackers are embracing Cybercrime-as-a-Service offerings like RaaS and PhaaS operations. There’s also Malware-as-a-Service (MaaS) where attackers gain access to malware strains on a pay-as-you-go basis. In late September, for instance, Forbes reported that Russian-speaking underground hacking forums were offering a new MaaS operation at $10 per month or $40 for a lifetime subscription. The threat is specifically designed to harvest user data and session information from major PC gaming platforms so that they can sell in-game loot on the dark web.

Then there’s Fraud-as-a-Service (FaaS). These types of offerings can take on various forms. As an example, WeLiveSecurity discovered a malware-driven FaaS platform called “IISerpent” in August 2021. The threat leveraged SEO fraud techniques on compromised IIS servers to augment the page ranking for third-party websites by preying on a compromised site’s ranking.

Defending Against Crimeware as a Service

The types of offerings discussed above highlight the need for organizations to defend themselves using multiple layers of protection. That principle applies across all levels of an organization’s infrastructure including their email. Learn how Zix | AppRiver can help.