Cisco warns of new ‘Greatness’ phishing-as-a-service tool seen in the wild

A new phishing-as-a-service (PaaS) tool is allowing rookie hackers to incorporate “some of the most advanced” features into their cyberattacks, researchers warned Wednesday.

Similar to other criminal services, PaaS platforms lower the bar to entry for cybercrime, offering unskilled hackers the ability to automate the tasks involved in tricking victims into entering their credentials on a fake login page.

The report from Cisco’s Talos threat intelligence team says the new service is called “Greatness” and was first seen in mid-2022 — with spikes in activity in December 2022 and March 2023 based on the number of attachment samples available on VirusTotal.

It has “almost exclusively” been used to target companies, rather than government organizations for instance, by mimicking their Microsoft 365 login pages, indicating that the service’s users are motivated by accessing their targets’ networks for financial gain rather than espionage purposes.

Businesses in the manufacturing, healthcare and technology sectors were the most commonly targeted according to Cisco’s analysis of phishing domains, with the U.S. accounting for more than 50% of victims, followed by companies in the U.K., Australia, South Africa and Canada respectively.

The service provides its affiliates with everything from an attachment and link builder through to “highly convincing decoy and login pages,” where the victim’s email address is already pre-filled and the company logo and background image have been extracted from the organization’s real Microsoft 365 login page.

Its features also include multi-factor authentication (MFA) bypass, IP filtering, and integration with Telegram bots, said Cisco. The Telegram bot is used to inform affiliates as soon as the service has stolen an authenticated session cookie before the cookie times out.