Workaround: the darknet has started selling a turnkey phishing constructor
A new type of product has begun to be sold on the darknet — access to a platform that allows turnkey phishing mailing, cybersecurity companies said. The package includes everything from creating and editing email templates to managing your email account settings and checking for spam. Such a tool allows attackers to multiply the volume and intensity of campaigns, experts warn. Whether we should expect a surge in phishing activity in connection with the automation of the infrastructure is in the Izvestia article.
How the phishing mailing platform works
A shadow forum began selling access to a turnkey web platform for phishing mailings, BI.ZONE Threat Intelligence specialists told Izvestia. The tool offers a "full cycle" service: from creating and editing email templates to managing email account settings and checking for spam. A significant part of the functionality is related to bypassing security mechanisms that block phishing emails at an early stage.
The creators of the platform claim that the subjects and contents of emails are checked for spam signs, and texts containing malicious links are sent to test mailboxes. Attackers use artificial intelligence to manage mailings and increase the likelihood of emails entering the inbox.
In this way, phishing mailings turn into a service process where the operator does not need to dive into technical details, and mailing campaigns can be managed with a single button.
— Phishing has been and remains the most popular method of obtaining initial access, — said the head of BI.ZONE Threat Intelligence Oleg Skulkin. — It starts 64% of attacks on Russian companies. Such automation platforms make the threat even more widespread, allowing attackers to multiply the volume and intensity of campaigns.
The cost of access to the platform is $450 per month, $1.2 thousand for three months and $2.2 thousand for six months.
The existence of such a mechanism has been confirmed by other cybersecurity companies. According to Valeria Besedina, an analyst at the Positive Technologies Cyber Analytics research group, one of the main elements of such an infrastructure is administrative panels (an interface for managing the functions and content of a website or web service).: the share of ads for their sale is 18%. Ready-made tools are used to collect credentials, monitor victims, manage templates, and work with statistics on attacks.
— Various detection circumvention mechanisms are also used: anti-bot protection functions and detection mechanisms for analysis attempts, — said the expert. — Ads for bypassing two—factor authentication are also widespread - 13%. Some solutions provide for the adaptation of phishing pages to specific countries and imitation of specific banks or services — victims trust such sites more.
Izvestia sent a request to Roskomnadzor with a request to tell how the fight against resources on the darknet is being conducted and whether this platform will be blocked. The agency recommended contacting the Ministry of Internal Affairs — the editorial board sent a request.
What other tools are being sold
Such tools significantly reduce the threshold for entering the illegal market, as even novice criminals with very low qualifications can create malicious emails, Oleg Skulkin added.
"In 2025, attackers were three times more likely to send phishing emails than a year earlier," he said.
Phishing services can be offered as a turnkey package, or individually, for example, as an aid in website development or email distribution, said Alexandra Fedosimova, an analyst at Kaspersky Digital Footprint Intelligence.
— The cost depends on the content and varies greatly: over the past year, the prices indicated by the authors of the ads reached up to $ 7 thousand per package of services, — she said. Cybercrime—as-a-Service allows attackers to conduct business by offering their knowledge and experience as a commodity.
According to the expert, attackers have become more inclined to create multidisciplinary services, offering many services at once, which allows them to have a stable income in the form of regular customers.
The concept of a cybercrime service model is popular, said Alexander Vurasko, Director of Development at the Solar AURA External Digital Threat Monitoring Center at Solar Group.
"Back in the mid-2010s, it was possible to gain access to a platform that allows stealing money from citizens' bank accounts using Trojans," he recalled.
Turnkey phishing platforms are actively distributed through closed communities and messengers like Telegram, said Olga Altukhova, a cybersecurity expert at Kaspersky Lab.
— Artificial intelligence really plays a separate role here, — Olga Altukhova said. — For example, phishers can use AI tools to generate fake web resources. Artificial intelligence-based website designers have appeared in the arsenal of attackers, allowing them to automatically copy the design of legitimate websites, generate adaptive interfaces and forms for entering credentials.
Mailing kits (spam-as-a-service), botnet control panels, ready-made malware kits, proxy rental services and infrastructure, as well as access to already compromised accounts and corporate networks are also actively sold, said Kirill Levkin, MD Audit project manager.
— There are also services for checking the "deliverability" of emails and emulating the behavior of real users, — he said.
According to the expert, automation and accessibility of phishing tools lead to an increase in the number of attacks and a decrease in their cost.
"Now launching a campaign requires fewer resources, which means there are more attacks," he said. — The main danger lies in the combination of mass character and personalization. Previously, phishing was either massive or targeted, but now these models are combined. Users and companies will more often encounter attacks that are more difficult to distinguish from legitimate communications.
How AI helps criminals
AI allows you to create realistic and convincing emails, analyze large amounts of data and adapt attacks to a specific company or person, as well as quickly analyze and scale effective scenarios, says a data analyst at the Domain Coordination Center .RU/.Russian Federation Evgeny Pankov.
— A separate trend is the creation and use of audio and video clips. A short recording is already enough to generate a plausible call or video on behalf of an acquaintance or colleague," he added. — Therefore, calls from unfamiliar numbers should be treated as carefully as possible, and it is better not to answer such calls at all. In general, the symbiosis of technology and manipulation makes attacks more accurate and increases the damage from them.
At the same time, classic phishing is giving way to more complex schemes, the expert noted. Attacks are becoming multi—stage, with elements of social engineering, QR codes, malicious attachments, and links to dynamically swapped pages. At the same time, e-mail ceases to be the only "entry point": phishing actively goes to messengers and social networks, where users are less wary and more actively respond to messages.
According to Evgeny Pankov, today the average blocking time for phishing resources on the Runet is about five hours. In addition, from September 1, mandatory identification of domain administrators through the ESIA will be introduced, which should complicate the registration of phishing domains and increase the overall security level of national domain zones.
Переведено сервисом «Яндекс Переводчик»
