Malik Haidar has spent the better part of two decades on the front lines of corporate defense, acting as a bridge between high-level security analytics and the pragmatic realities of global business operations. His career has been defined by a deep-seated commitment to unmasking the mechanical intricacies of cybercriminal syndicates, moving beyond simple detection to understand the underlying business models that drive modern threats. Today, he brings his extensive background in intelligence and security to bear on a rapidly evolving crisis: the industrialization of phishing services. As these operations transition from amateurish attempts into sophisticated, real-time engines of theft, Malik’s insights provide a critical roadmap for navigating a landscape where the traditional rules of engagement no longer apply.
The discussion explores the technological leap from static credential harvesting to live interception, where attackers now engage with victims in real-time to bypass modern security protocols. We delve into how these syndicates are weaponizing encrypted messaging services like RCS and iMessage to circumvent traditional filters and how the integration of artificial intelligence is making phishing pages nearly indistinguishable from legitimate corporate sites. Malik also highlights the broader ecosystem of “crime-in-a-box” services, where stolen data is funneled into digital wallets and wire fraud, and the surprising lack of operational security among those who flaunt their illicit wealth on public platforms.
How has the shift toward live administration panels fundamentally altered the way attackers interact with their victims during a phishing attempt?
The shift we are seeing is essentially the transition from a “set-and-forget” model to a high-speed, interactive operation. In the past, a criminal would host a static page, wait for someone to type in a password, and then harvest that data hours or even days later. Now, with live administration panels, the attacker is literally sitting on the other side of the screen in a digital waiting room. The moment a victim enters their credentials, the data flashes onto the attacker’s dashboard in real-time, creating a tense, high-stakes window for exploitation. It’s a sensory experience for the criminal—watching the “live” status of a victim—and it allows them to trigger OTP requests on their own devices at that exact second. By the time the victim sees the code on their phone and enters it into the fake site, the attacker has already used it to finalize the breach.
Why are we seeing such a massive transition away from standard SMS toward end-to-end encrypted protocols like RCS and iMessage for delivering these malicious lures?
Traditional SMS has become a bit of a minefield for attackers because telecommunications providers have spent years perfecting infrastructure-level filters that can sniff out malicious links. By moving to Apple’s iMessage or the Rich Communication Services protocol, attackers are effectively hiding their payloads inside an encrypted tunnel that the carriers can’t see into. This lack of visibility is a huge advantage, but there is also a psychological component to it. These protocols support rich media, typing indicators, and read receipts, which lend an air of legitimacy and “corporate polish” to the message that a plain text SMS just can’t match. When a victim sees a high-resolution logo and a professional-looking interface, their guard drops, and they are much more likely to click through to the malicious destination.
Could you explain the process by which these operators are now neutralizing multifactor authentication and monetizing stolen data through digital wallets?
Multi-factor authentication was once considered the gold standard of defense, but these Chinese-language services have turned it into a mere speed bump. Once they capture those real-time credentials and the one-time passcode, the goal immediately shifts to “provisioning” the victim’s payment cards into a digital wallet on the attacker’s own phone. They aren’t just stealing a number; they are essentially cloning the victim’s financial identity into a device they control. This allows for high-value transactions, contactless payments, and even ATM withdrawals, all while the victim is still trying to figure out why their initial login didn’t work. It is a cold, calculated orchestration of wire fraud and stock manipulation that happens in the blink of an eye.
In what ways is artificial intelligence being utilized to generate unique phishing pages that can bypass traditional signature-based detection?
We are seeing platforms like Darcula, which is linked to the threat actor known as UNC5814, move away from static templates entirely in favor of AI-powered orchestration. Instead of having a single “fake bank” page that a security filter can recognize and block, they use AI to clone legitimate websites on the fly, replicating every piece of HTML, CSS, and JavaScript. Because the AI can slightly alter the underlying code for every single victim, each generated page looks unique to a security scanner, effectively rendering signature-based detection obsolete. It’s a game of digital mirrors where the visual elements are perfect, the branding is flawless, and the detection tools are left chasing ghosts because the “fingerprint” of the attack is constantly changing.
What does the blatant lack of operational security among some of these high-level operators tell us about the current state of the cybercriminal ecosystem?
There is a staggering level of arrogance in the Chinese phishing-as-a-service landscape right now. While Google observed at least a dozen active offerings in the underground, many of these individuals aren’t hiding in the shadows; they are actively advertising on Telegram and posting photos of luxury cars and high-end lifestyles. This lack of OpSec suggests they feel almost untouchable, likely because they are focusing their attacks on non-Chinese entities in Japan, the US, and the UAE to avoid domestic law enforcement pressure. They are operating like legitimate software companies, offering full suites of criminal services from domain registration to money laundering, and they are doing it with a level of visibility that would have been unthinkable a decade ago. It highlights a professionalized, industrial-scale market where the rewards are so high that the fear of consequences has seemingly taken a backseat.
What is your forecast for the future of Phishing-as-a-Service?
I believe we are entering an era of “Deepfake Phishing” where the interactivity we see in live admin panels today will be merged with real-time video and audio generation. Within the next year or two, the 12 or more major PhaaS platforms will likely offer services that can generate a real-time voice or video call from a “bank representative” to guide a victim through the OTP process they just triggered. We will see an even greater reliance on automated browser tools that can perform account takeovers in milliseconds, leaving human defenders and even most automated systems unable to react in time. The barrier to entry for high-level cybercrime will continue to drop, meaning we will face a higher volume of attacks that are significantly more convincing and harder to trace than anything we have encountered to date.
