IT Brief Asia - Technology news for CIOs & IT decision-makers
Asia
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
SaaS
#
Firewalls
#
Encryption

Phishing-as-a-Service drives surge in cybercrime for 2025

Yesterday
Author image
By Melvin Hipolito, Editor

Barracuda Networks has released new details on the rising prevalence of Phishing-as-a-Service (PhaaS) attacks, the technologies underpinning them, and trends shaping cybercrime in 2025.

The company's analysis found that an estimated 60% to 70% of all phishing attacks observed since the beginning of 2025 have been delivered using PhaaS models. Of these, the Tycoon 2FA phishing kit emerged as the most popular, responsible for 76% of the detected incidents. EvilProxy accounted for 8%, while Mamba 2FA and Sneaky 2FA together made up 6%. The remaining 10% consisted of other kits such as LogoKit, CoGUI and FlowerStorm.

Understanding PhaaS

Phishing-as-a-Service is a model in which individuals or groups provide ready-made phishing tools, infrastructure and support to customers for a fee, often via subscription services or one-off payments. This business-like approach means non-technical users can easily launch phishing campaigns without building infrastructure or writing code.

According to the explainer released by Barracuda, "Phishing-as-a-Service, or PhaaS, is a cybercrime model where threat actors offer phishing tools, kits and services to other attackers, often via subscription or one-time payment. It lowers the barrier to entry for phishing attacks by providing ready-made templates, hosting, automation and even customer support. PhaaS enables non-technical users to launch sophisticated phishing campaigns, contributing to the rise in phishing incidents globally."

Attackers typically access these services through forums, darknet markets, or messaging channels such as Telegram. The platforms provide templates for impersonating well-known brands and offer means to collect sensitive information entered by victims, which attackers can then use for financial gain or identity theft.

The explainer notes, "Attackers sign up for this service — often through Darknet or Telegram channels — and obtain access to their PhaaS infrastructure. The service provides ready-made fake emails and websites that look just like real companies. The scammer can customise messages to make them convincing. Then, these fake emails or websites are sent out to lots of people. When someone falls for the trick and enters their private info, the scammer collects it and can steal money or identities."

Barriers lowered

PhaaS is popular with users seeking to commit credential theft but lacking the skills to develop phishing infrastructure from scratch. The systems are marketed not only at experienced cybercriminals, but also at individuals with limited technical knowledge, as the ease of use and available support bring phishing within reach of a broader group of criminal actors.

"Attackers who want to do credential theft but don't know how to build the phishing emails, infrastructure to host fake Microsoft/Google login pages, steal multifactor-authentication (MFA) tokens and send them to a command-and-control server. Sometimes even people who aren't very tech-savvy can use PhaaS because it makes it easy for anyone to launch scams," the explainer says.

PhaaS allows for rapid deployment of attacks, high levels of automation and large-scale targeting, including of small businesses and individual consumers. Typical victims range from employees at companies targeted for access to internal systems, to consumers receiving emails purporting to be from banks or popular online services.

"It saves time and effort — they don't have to create complicated scam setups from scratch. It's often cheap or subscription-based, so it's easy to access. It's much easier now to launch a sophisticated phishing campaign targeting thousands of people with just a few clicks or minimal effort, compared to traditional phishing attacks. These modern attacks are highly advanced — they use clever methods to avoid detection and often rely on legitimate but compromised websites and platforms."

Market forces

PhaaS providers continually update their kits to bypass security measures, and competition between providers is fierce. Kits compete on factors such as price, accessibility, customer support, regular updates, and their ability to avoid detection. Subscription models and customer service functions have become normal, mirroring the software industry.

"Kits that are cheaper or easier to get tend to attract more users. Some offer subscriptions, while others sell one-time licenses. The price and payment options matter a lot. Updates: Some PhaaS providers offer customer support and regularly update their kits to bypass new security measures. Kits that stay updated and provide help keep their users loyal. Success rates: If a kit is known for helping scammers avoid detection and successfully steal information, it gains popularity over others."

Emerging kits and techniques

Barracuda identified several new PhaaS kits, such as Darcula, which merges phishing with malware delivery and tends to target mobile users, and Morphing Meerkat, noted for altering its appearance to bypass email controllers. Other kits like CoGUI have been regionally tailored, such as those targeting Japanese organisations, and Sniper Dz is highlighted for mimicking the login pages of popular services.

According to the explainer, "What makes these kits particularly dangerous is that they constantly evolve — updating their methods to avoid being detected by security systems. This ongoing development helps scammers stay one step ahead and makes it harder to shut them down."

Detection strategies avoided

PhaaS operators and their customers deploy techniques including encrypting malicious code, using code obfuscation, leveraging legitimate but compromised websites, and actively detecting when they are being monitored by security software or research sandboxes. In such cases, the kits will direct users to bona fide websites to avoid raising suspicion.

The use of encryption and the adoption of real, trusted sites for hosting phishing content make detecting such threats more challenging for security tools, which traditionally focus on signature-based or heuristic detections of uncommon domains or content.

Despite ongoing efforts by security professionals and law enforcement, the widespread distribution of PhaaS services and kits, international hosting, and frequent method changes continue to pose challenges for effective mitigation and takedown of phishing operations.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Cloudera urges telcos to invest in AI or risk falling behind
Azul boosts Java security with improved runtime vulnerability detection
Sun World partners with Semarchy to streamline global data management
Fivetran awarded Databricks 2025 data integration partner of year
Contrast Northstar brings real-time AI to application security
Top stories
AU10TIX unveils AnyDoc AI tool to combat document fraud risk
Silverpush unveils AI tool for brand safety on TikTok ads
A10 Networks wins dual security awards at Interop Tokyo 2025
ServiceNow launches secure SPP-SG platform with NYP to boost AI skills
Southeast Asia startups shine at AppWorks Demo Day in Singapore