Nearly Half of Cybercriminals Use Multi-Brand Phishing Kits to Scale Attacks
Event summary
- Flare's research found 43.8% of cybercriminals use multi-brand combo kits to impersonate multiple services in one deployment.
- Analysis of 8,600 underground discussions revealed phishing kits and PhaaS platforms enable low-skill actors to bypass MFA and steal sessions.
- EvilProxy and Typhoon 2FA were responsible for most recent PhaaS incidents, with 334 and 240 entries respectively.
- Nearly 48% of phishing actors were non-traditional, including researchers, bots, and malware developers.
- Phishing kits target banking brands (81.9%), a major e-commerce platform (76.4%), and PayPal (75.1%) as primary fraud vectors.
The big picture
Flare's research highlights the maturation of the phishing economy into a service-driven underground market, enabling global, scalable attacks. The dominance of multi-brand combo kits and PhaaS platforms indicates a shift towards efficiency and speed in cybercrime operations, challenging traditional defense mechanisms. This trend underscores the need for proactive, behavior-based detection and comprehensive threat intelligence.
What we're watching
- Defense Adaptation
- How security teams will shift from point defenses to systemic disruption, assuming MFA bypass is possible.
- Global Threat Monitoring
- Whether organizations can expand intelligence coverage beyond English-language sources to track high-value tradecraft.
- User Awareness Evolution
- The pace at which user awareness programs evolve beyond URL checks to address modern phishing techniques.
Related topics