Hackers are going after PayPal and American Express usernames and passwords using a phishing scheme that has previously targeted Amazon and Apple, according to research released Tuesday by security company ZeroFOX.
An operation on the dark web called 16Shop started selling phishing kits that target PayPal and American Express customers this month, ZeroFOX says. The digital tackle boxes, which cost less than $100, include everything a low level hacker would need to launch a phishing attack against customers of both companies.
“Phishing kits work very similarly to a marketing platform for sending and tracking email,” says Zack Allen, director of threat operations at ZeroFOX. The software marketers use—legally—helps to automate the process of sending email on behalf of the companies by tracking clicks, controling messaging, shaping content based on your geographic location or Internet browsers, and scheduling marketing campaigns.
The PayPal phishing kit, obtained by ZeroFOX, came with the option of buying additional features, such as customer support, customized templates and automated messages.
“You purchase the software to perform the attack, and some of these kits will reduce the complexity of deploying the attack by streamlining it for the operator,” Allen said.
The phishing kits are just the latest example of how cyber crime and other nefarious tools, such as deepfake video makers, are making complex technology more accessible to the masses.
As the economy moves towards more platform-base capitalism—like buying goods or services through Facebook, Instagram, or Uber, for instance— cyber criminals will follow suit, trying to infiltrate the transactions, says Allen. “We already see this with ransomware-as-a-service and botnets for hire,” he says. “Cyber criminals are now realizing the total addressable market for phishing-as-a-service.”
The news comes as cyber attacks that exploit human weaknesses continue to rise. A 2019 cybercrime study by Accenture said cyber criminals have adapted their attack methods by targeting the human layer—typically the weakest link in cyber defense—increasingly using ransomware, phishing, and social engineering attacks as an entry point. Last year, Kaspersky Labs released a report that detailing a rise in phishing attacks in 2018. The security company found that phishing attacks had more than doubled over the previous year.
Last month, the phishing rate across industries was 1 in 10,527 emails, according to Symantec’s monthly threat report, which shows just how prevalent phishing attacks are. However, that number fluctuates—it was 1 in 5,585 the previous month.
With phishing attacks expected to be on the rise this year, Allen said it’s important to remain vigilant when opening email or messages on social networks.
One way to do that is to check the email address link before clicking. Phishing scams often come from addresses that look legitimate, but might have a simple misspelling.
“Delivery mechanisms tend to be via email or social/digital platforms, and give an enticing message or a call-to-action to get you to click a link. The fake domains may contain the brand name to help convince victims the legitimacy of the website,” said Allen. “Just know that legitimate companies will never ask you for your personal information via these channels.”
More must-read stories from Fortune:
—A.I. in China: TikTok is just the beginning
—Inside big tech’s quest for human-level A.I.
—Medicine by machine: Is A.I. the cure for the world’s ailing drug industry?
—A.I. breakthroughs in natural-language processing are big for business
—A.I. is transforming the job interview—and everything after
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.
