Cybercrime goes plug and play with voice fraud-as-a-service platform
A newly discovered criminal toolkit is enabling fraudsters to run sophisticated, large-scale phone scams almost entirely on autopilot.
The platform, known as ATHR, combines fake emails with AI-generated phone calls to trick victims into handing over login credentials for some of the world’s most widely used services, including Google, Microsoft, and major cryptocurrency exchanges.
According to researchers, the commoditized platform, which combines AI voice agents, credential harvesting tools, phishing email templates, and browser-based call handling into a single service, is being marketed on cybercrime forums for $4,000 upfront, plus 10% of any profits generated.
Abnormal Security’s Aaron Orchard, Callie Baron, and Piotr Wojtyla, who tracked and detailed the new platform in a blog, said that instead of relying on typical malicious links or infected attachments, this telephone-oriented attack delivery – known as TOAD – takes a different route.
Attackers email a target with what looks like a legitimate security notice or account alert containing nothing more than a phone number. Once the victim calls, they are guided into revealing passwords, installing remote-access software, or handling over verification codes.
“The lure email contains a phone number, not a malicious URL. There are no payloads to detonate and no suspicious domains to blocklist,” Abnormal said.
Because the original email often lacks suspicious links or technical indicators, these scams can be harder for conventional security tools to detect.
Vishing-in-a-box
According to Abnormal, ATHR brings together every stage of the fraud chain in one interface. Operators can send phishing emails, receive callbacks, manage credential harvesting pages, and track campaigns through a live dashboard.
The researchers noted that the platform runs on the legitimate open-source telephone engine Asterisk and WebRTC (which allows web browsers to handle voice, video, and data directly without plugins), enabling calls to be managed entirely through a browser.
Abnormal Security said the integrated design meant that “a single person can manage the full attack chain from a browser” rather than having to use multiple tools and trained operators.
AI voice agents
Researchers identified ATHR’s AI vishing system as one of its most worrying features. They claim it uses scripted voice agents that guide victims through fake security scenarios – confirming suspicious account activity, claiming recovery steps are needed, and eventually requesting six-digit security codes.
“This is what separates ATHR from earlier callback infrastructure,” Abnormal says.
“Previous platforms required trained human callers. ATHR automates the entire interaction, allowing a single operator to run campaigns across multiple brands simultaneously without scaling headcount.”
Real-time credential theft
The report says ATHR also includes phishing panels for brands such as Coinbase, Binance, Google, Microsoft, Yahoo, and AOL.
During calls, operators can watch victims progress through fake login pages in real time, redirect them between pages, and capture submitted usernames and passwords instantly.
Strong password generator
Researchers said the platform allows scammers to synchronize the voice conversation with the phishing site, creating a more convincing experience.
“An operator who sees a low callback rate can adjust the lure template, change the sender profile, or refine the personalization fields, and then immediately observe whether the next batch of emails generates more calls."
Abnormal Security researchers, ATHR report.
The rise of platforms like ATHR highlights the growing commoditization of cybercrime, where advanced fraud tools are packaged and sold like legitimate software services.
Lucy Finlay, director of secure behavior and analytics at Redflags, believes this trend represents a serious escalation.
“What we are seeing is the complete commercialization of social engineering. The moment you remove that constraint and replace it with an AI voice agent, you’re no longer dealing with targeted scams – you’re dealing with scalable infrastructure for mass manipulation.”
Real time vishing kits have already been linked to major intrusions. In January Okta reported that tools allegedly used by ShinyHunters were deployed in an operation targeting SoundCloud, Betterment and Crunchbase, alongside attempted attacks on Okta, Microsoft and Google, although the company stopped short of publicly releasing full indicators of compromise, reserving that intelligence for paying customers only.
Unlock more exclusive Cybernews content on YouTube.
