← field notes

Phishing Is a Subscription Business Now

imagine a counterfeit shop appearing overnight in an empty storefront. the signs match, the shelves look familiar, and a clerk quietly forwards every request to the real shop next door. years ago, building that illusion took a patient forger. now the walls, signs, forwarding desk, and even customer support can arrive as a monthly rental.

that is the change hidden inside modern phishing. it stopped being only a craft practiced by isolated scammers and became a software industry, divided into developers, resellers, operators, delivery crews, and specialists who turn stolen access into money. the crime did not become magical. it became organized, repeatable, and much easier to buy than to understand.

from homemade trap to rented service

the old picture of phishing is a badly copied login page assembled by one person, attached to an awkward message, and abandoned when the hosting disappeared. that still exists. but it no longer describes the industrial end of the market.

a phishing kit packages the pieces of the deception into ready-made infrastructure. it may include copied page designs, the machinery that collects submitted information, an administration panel, hosting guidance, updates when the real site changes, and a way to notify the operator when something valuable arrives. phishing as a service adds the business wrapper: recurring fees, access tiers, technical support, and sometimes a share of whatever the customer steals.

the important shift is not a single technical breakthrough. it is that expertise became rentable. someone who understands web development can build the imitation once, maintain it centrally, and sell access to many operators who never need to understand what happens underneath.

the company behind the counterfeit

the structure looks uncomfortably familiar because it borrows from legitimate software companies. developers maintain the core product. designers keep copied pages aligned with changes made by banks, email providers, or workplace login portals. support staff answer customers when a page fails, a browser blocks a domain, or captured data stops appearing in the control panel.

resellers may sit between the developer and the operator, handling payments and recruiting in closed communities. some vendors charge a flat rental, while others take revenue share in exchange for a claim on successful theft.

none of this makes the market trustworthy. criminal vendors cheat customers, copy one another’s code, plant hidden access, and vanish with subscription payments. scale also creates dependency on an anonymous supplier who may collect the same stolen accounts twice.

the assembly line around the kit

the kit is only one station in a longer production line. separate specialists acquire lists of possible targets or access to compromised mailboxes. others handle message delivery, using whatever social pretext makes a recipient feel urgency: an expiring account, a disputed payment, a shared document, a workplace request.

the operator rents the false login machinery and watches for captured sessions. another party may use access before it is revoked, while others move stolen value. each participant can know only a narrow part of the operation.

this division matters to defenders. stopping one sender does not remove the developer. taking down one false domain does not remove the delivery network or the people downstream. the system survives losses because its parts are replaceable.

the page that talks to the real one

the simplest kits present a static copy. a victim types a password, the false page records it, and the crime depends on that password remaining useful. multifactor authentication made this older pattern less reliable because a password alone was no longer enough.

modern kits answered with a more dangerous arrangement: the false site can stand between the victim and the real login service, relaying the exchange in real time. in networking language it acts as a reverse proxy, a middle layer that passes traffic onward while remaining in the conversation. the victim sees a convincing login flow because much of that flow is actually coming from the real service.

when the real service asks for a one-time code, the false page passes that request back. when the victim supplies the code, it is immediately relayed to the real site. if the login succeeds, the middle layer may capture the session token returned afterward, the browser’s temporary proof that authentication has already happened.

this is why one-time codes are not a complete answer to phishing. the code can still be useful because a person can be tricked into giving it to a live intermediary during the short window when it works. the attacker does not have to break the code’s mathematics. the system simply persuades the rightful user to complete the real ceremony through the wrong doorway.

what the proxy cannot erase

the proxy remains constrained by facts it cannot change. the browser is connected to a different domain, no matter how perfect the page looks. certificates, registration, hosting patterns, and infrastructure timing all leave evidence.

the operator also depends on a fragile chain. the message must arrive, the recipient must act, the false domain must remain online, the kit must correctly mirror a changing login flow, and the captured session must still be accepted when someone tries to use it. a break at any point can spoil the attempt.

this is the honest version most descriptions skip. real-time kits can defeat some multifactor authentication, but they do not make phishing invisible or certain. they trade a static page for a complicated machine with more places to leave a trail.

why passkeys change the ceremony

passkeys and FIDO security keys are built around the one detail the copied page cannot borrow: the real domain. during registration, the authenticator creates a cryptographic credential tied to a specific site. during login, it will produce a valid response only for that site’s identity.

on a lookalike domain, there is no secret to type and no code to relay. the authenticator sees the wrong place and the ceremony cannot complete. copying pixels does not copy the cryptographic relationship.

this is the same deeper idea behind the site’s explanation of passkeys: the defense works by removing the shared secret from the human conversation. a proxy can forward words and forms. it cannot make a credential bound to one domain become valid for another, and a captured response cannot simply be replayed as a fresh login elsewhere.

there are still other ways accounts can be attacked, including compromised devices, malicious account recovery, and manipulation of support staff. passkeys do not end identity theft. they do, however, structurally close the particular relay trick that makes real-time phishing kits so effective against passwords and typed codes.

taking down the storefront

before a victim reaches the page, defenders try to make the storefront disappear. registrars and hosting companies can suspend abusive domains and servers after reports and investigation. brands, security teams, researchers, and law enforcement map related infrastructure so that one discovery can expose other sites operated from the same cluster.

takedown is a race against a short clock. a campaign may do most of its harm before a complaint reaches the right provider, and replacements appear quickly. aggressive suspension also risks removing innocent sites, so providers need evidence.

browser warning lists fight at another layer, placing a warning between the visitor and known malicious pages. they can protect millions quickly, but they are strongest against infrastructure already seen. new domains live in the gap before classification.

stopping the message before the click

mail defenses try to interrupt the operation even earlier. authentication systems let receiving providers check whether a message claiming to come from a domain was authorized by that domain and what should happen when the check fails. as the site’s email-authentication story makes clear, this helps close direct impersonation, but it does not prove that every authenticated sender is honest.

a criminal can use a newly registered lookalike domain, abuse a legitimate compromised account, or send a message whose visible wording suggests a brand without technically forging its domain. filters therefore examine more than authentication. they weigh links, page reputation, sending history, language, attachment behavior, and patterns shared across a campaign.

the same trade-off returns. loose filters deliver traps; strict filters bury ordinary mail. the machinery combines weak signals fast enough to act before the campaign changes shape.

the defenders follow the business

the subscription model creates advantages for investigators too. a service used by many operators tends to reuse code, page assets, administration paths, server habits, and payment relationships. those repetitions become fingerprints of the supplier even when individual domains keep changing.

customer panels and central update systems are efficient precisely because they concentrate activity. when researchers or law enforcement identify that center, the effect can reach beyond one campaign. infrastructure seizures, arrests, payment disruption, and exposure of customer records can turn the vendor’s scale into a map of the market it served.

but disruption rarely means permanent removal. code gets copied, former customers migrate, and replacement vendors appear. the underlying demand remains while passwords and typed codes remain valuable objects that a human can be induced to hand across the wrong boundary.

removing the thing worth stealing

that is why the long-term answer is not merely a better warning page or a faster takedown desk. those defenses matter, especially during the slow years when older login systems remain everywhere. but they chase the counterfeit shop after it has been built.

the stronger answer changes what the shop can sell. domain-bound authentication makes a copied login page unable to complete the same transaction as the original. short-lived sessions, careful recovery controls, device signals, and rapid revocation reduce the value of anything that still escapes. layered together, these measures turn a captured form from a master key into a clue that defenders can contain.

phishing became a subscription business because software made deception repeatable and labor could be split among specialists. the defensive response has to understand that business, cut its delivery routes, remove its storefronts, map its suppliers, and shrink the value of its product. in the end, the cleanest way to defeat an industry built around stealing shared secrets is to stop asking people to carry shared secrets through doors at all.

The Hidden Internet takes apart the systems that quietly run the modern web, explained from the inside. No products, just the machinery. Subscribe on YouTube.

watch
The Hidden Internet on YouTube

Every field note starts as a short documentary. Watch the systems in this piece explained on screen.

subscribe →
read on
More field notes

The rest of the series on how the modern internet detects, tracks, and sorts the traffic that reaches it.

browse the archive →