Phishing continues to make headlines with attackers using stolen credentials to gain access to valuable systems and sensitive data. Although phishing has been a known technique for a long time, the industry is still struggling to effectively defend against it.

This may seem surprising to many as “phishing” calls to mind poorly written emails, generic text messages, poorly made web pages, or robot-voiced phone calls – and the industry has been trying to defend against these methods for years. Primary defenses thus far have been training and legacy MFA (multi-factor authentication). However, these defenses make user discretion one of the key components. If an attacker can successfully trick a user with sufficiently convincing visuals and URLs, they can still be successful. 

As long as there’s still a reasonable chance of success for relatively low effort, attackers will continue to build upon their successes. Similar to how today’s developers will leverage toolkits and shared community projects to simplify their work, attackers are able to do the same. There are toolkits that simplify the effort needed for an attacker to get up and running to just a few command line steps. 

An example of a similar tool intended for demonstration and research purposes, evilginx2, allows researchers to easily set up and enable convincing phishing campaigns. A researcher installs the toolkit and selects an option from a set of community developed options called phishlets. 

This style of toolkit still requires a technically savvy attacker, but doesn’t require specialized phishing campaign software skills. 


Now the ecosystem has evolved even further with phishing services. For criminals who know where to go and are willing to part with some crypto, it is possible to have a phishing service provider manage their phishing campaign for them and simply provide them with results without any technical knowledge of phishing campaign tools on behalf of the attacker. Similar to legitimate service offerings, phishing-as-a-service providers are even offering discounts and subscriptions to entice new users. A screenshot from Resecurity’s blog post on a recent phishing-as-a-service campaign shows how simple these services make it for attackers to start up these campaigns. 

What can be done to combat phishing campaigns today?

Phishing-resistant MFA is really the most effective way to address this issue due to a couple main distinctions:

The credentials are tied to a domain and a user does not have to visually assess whether a site is legitimate or not. This means an attacker can’t trick a user with unicode tricks or convincing images. 

Using asymmetric credentials means users no longer have to trust service providers with the credentials they use to access their services

To see how this phishing attack could go differently with the use of FIDO security keys like the YubiKey, check out a demonstration from Rachel Tobac made in collaboration with Yubico here.

The post An inside look: How hackers rely on low effort tactics for phishing attack success appeared first on Yubico.


VaultumCity is the best trusted place to select and buy your best Yubikeys, Vaultumcity free ship all yubikeys, Vaultumcity is reseller distributor of yubikeys so you can find cheapest best yubikey in Vaultumcity. If you are looking for best Yubikeys in Singapore at VaultumCity website online store.

The shop that sells yubikeys is

Our delivers are from Singapore, distribute globally. Buying Yubikey in Vaultum to have best customer and after sales services. All Yubikeys sold at Vaultumcity are quality guaranteed. Please place a large amount order to have great discount for reseller. Contact Vaultumcity at whenever you have any issue with your yubikeys. Buying yubikeys at Vaultumcity to have best newest yubikeys free shipped to your door, FIDO2 U2F SECURITY KEY C NFC, FIDO2 U2F SECURITY KEY NFC, YubiKey 5 Nano, YUBIKEY 5 NFC, YubiKey 5C, YubiKey 5C nano, YubiKey 5C NFC, YUBIKEY 5Ci, YubiKey Bio – FIDO Edition. Yubikeys are best most secure tools for two-factor authentication. You can also buy yubikeys form Malaysia, Yubikey Malaysia is being sold at Vaultumcity with great price and free ship, you have it fastest, just in few days because we’re here in Singapore.

If you are looking for yubikeys in Indonesia, Vaultumcity is a great place to buy yubikey Indonesia, you can have yubikeys to protect your logins in just few days. Vaultumcity ship your yubikeys to your home in Thailand, to help ensure your data is safe and secured.

What about South Korea, Vaultumcity bring your yubikeys to your home in South Korea free-shipped.

Vaultumcity also delivers yubikeys to Japan, any province or city to your hands. Check out and grab your best suited yubikey today at VaultumCity.