The Criminal Supply Chain That Allure Security Competes Against: 24/7 Support for Scammers

The Criminal Supply Chain That Allure Security Competes Against: 24/7 Support for Scammers

The support ticket came in at 2 AM. A customer couldn’t get their phishing kit to properly clone a banking login page. Within minutes, a support agent responded with detailed troubleshooting steps. The issue was resolved in under an hour. Customer satisfaction: five stars.

This wasn’t a legitimate SaaS company. This was the criminal underground, operating with better customer service than most Fortune 500 enterprises.

In a recent episode of Category Visionaries, Josh Shaul, CEO of Allure Security, dismantled a myth that persists in cybersecurity circles: the image of lone hackers in hoodies, operating from basements. The reality is far more sophisticated—and far more challenging for defenders.

“These folks are purely profit driven,” Josh explained. “You’ve got criminals all the way up the stack from people that are building tools to help you host a scam website to people that are helping you get traffic into your scam website. They all operate as a supply chain just like any other industry would.”

Modern cybercrime isn’t a collection of individual bad actors. It’s an ecosystem of specialized businesses, each optimizing for growth, retention, and customer success. Just like your company. Except illegal.

The Evolution Nobody Talks About

Twenty years ago, the stereotype was accurate. Hackers were individuals, often motivated by curiosity, notoriety, or activism. They built custom tools, worked alone, and measured success in bragging rights rather than revenue.

That world is gone. “There are still hackers out there that are the hacker that’s doing it for notoriety. You’re the one who’s doing it for some kind of activist cause, but they are the minority by an extreme,” Josh said. “The vast majority of the activity here is organized crime.”

The transformation mirrors legitimate software evolution. In 2005, you built custom infrastructure. In 2025, you buy it as a service. The same industrialization happened in cybercrime, creating a criminal SaaS ecosystem that would make many B2B founders envious.

The Criminal Customer Success Team

The most striking aspect of this evolution is the professionalization of support infrastructure. “A lot of these the toolkits that you’ll buy to host like a phishing website, they come with 24 x seven customer support,” Josh revealed.

Read that again. Around-the-clock customer support. For criminals.

One article Josh referenced noted that “some of these ransomware groups have better customer support than a lot of Fortune 500 companies in America.” His response: “Oh, totally.”

This isn’t exaggeration—it’s competitive necessity. When your customers are criminals paying for tools to commit fraud, support quality determines market share. A phishing kit that doesn’t work costs the customer money. Bad support means they’ll switch to a competitor’s toolkit.

The criminal supply chain has the same dynamics as legitimate SaaS: customer acquisition costs, lifetime value calculations, churn prevention, and Net Promoter Scores. They probably don’t call it NPS, but they’re measuring the same thing.

The Full Stack

The supply chain specialization goes deep. “You’ve got criminals all the way up the stack from people that are building tools to help you host a scam website to people that are helping you get traffic into your scam website,” Josh explained.

Break this down and you see an entire ecosystem:

Infrastructure Layer: Hosting providers who ask no questions. Domain registration services that ignore abuse complaints. Payment processors that handle transactions until they get shut down, then rebrand.

Platform Layer: Phishing kit developers creating turnkey solutions. Template libraries for cloning legitimate websites. Credential harvesting tools with analytics dashboards showing real-time capture rates.

Distribution Layer: Traffic generation services. Email list providers. Social media automation tools. SEO specialists who optimize phishing sites to rank for brand terms.

Support Layer: Customer success teams. Technical documentation. Video tutorials. Community forums where criminals share best practices.

It’s the same stack a legitimate SaaS company builds. The business model is just illegal.

Why This Changes Everything for Defenders

Traditional security thinking assumes you’re outsmarting individuals. Install better detection. Train users to spot scams. Build higher walls. This works when attackers are isolated actors with limited resources.

It fails completely when attackers operate as businesses with product development cycles, customer feedback loops, and optimization strategies.

“It’s been amazing to see the innovation and techniques,” Josh observed. The criminal ecosystem iterates constantly. New hosting providers emerge when old ones get shut down. New phishing techniques bypass detection systems. New social engineering approaches defeat awareness training.

This is why traditional defenses keep failing despite massive investment. “A lot of money is spent on security awareness training. A lot of money is spent on email security. A lot of attacks are avoided because of security awareness training and email security, and yet we still have a massive tens of billions of dollars a year of security loss problems driven through the problems that email security and security awareness training are supposed to solve,” Josh explained.

His assessment is brutal: “So the products don’t work and they don’t do what they’re supposed to do. They just don’t solve the business problems.”

The mismatch is fundamental. Security awareness training assumes users will make perfect decisions under pressure. Email security assumes it can identify every malicious message. Both approaches optimize for detection accuracy when criminals are optimizing for evasion—with full product teams dedicated to the problem.

The Economics of Adaptation

What makes this supply chain particularly resilient is economic motivation. Criminals aren’t ideologically committed to specific techniques. They’re capital allocators, moving resources to wherever ROI is highest.

“Every change in the business landscape, every new technology, every new consumer trend also turns into a new security trend,” Josh noted. “Like the explosion of cryptocurrency turned into an explosion of crypto security related issues. It never gets boring.”

When crypto prices surged, criminal operations pivoted resources toward crypto-related attacks. When a new social media platform gains users, phishing toolkits add templates for that platform. When businesses adopt new technologies, criminal supply chains develop attack vectors for those technologies.

This is business strategy, not hacking. The criminal ecosystem watches market trends, identifies opportunities, and builds products to exploit them. They have product roadmaps. They do competitive analysis. They optimize conversion funnels.

Allure Security’s Counter-Strategy

Understanding this supply chain professionalization shaped Allure Security’s entire defensive approach. You can’t defeat a sophisticated business operation with static defenses. You need to attack their economics.

When Allure Security detects a phishing site, they don’t just report it. They poison it. “If somebody wants usernames and passwords, if somebody wants credit cards, our software knows how to generate those things and give them to the attacker. So we fill their bucket with data. Data that looks like what they want, data that feels like what they want. But brother, it’s not the data that they want,” Josh explained.

This strategy acknowledges reality: “You just can’t stop people from putting things on the Internet, so the ability to completely eliminate the problem just isn’t there.”

Instead, they make the operation unprofitable. Every fake credential increases cost per valid credential. Every hour spent sorting real from synthetic data reduces operational efficiency. “The idea there is we just want to make their life miserable. We want to break the business model, we want to make it more expensive by far to attack a client that’s protected by Allure Security than to attack a brand that’s not,” Josh said.

This is economic warfare against an economic adversary. When your competition operates with customer success teams and product development cycles, you need equivalent sophistication in your defense.

The Broader Lesson

The professionalization of cybercrime offers uncomfortable lessons for any founder building defensive products. Your competition isn’t who you think it is. They’re not lazy or stupid. They’re not using outdated techniques.

They’re running businesses. Probably well. With customer support that might be better than yours.

“It’s all about always and always will be about the same kind of things. Generally, it’s about money,” Josh explained. “And folks are out there trying to make money, we’re trying to make money running the cybersecurity business here at Allure Security. And there’s other folks who are on the sort of on the hacker fraudster side that are trying to make money running their own business, albeit illegal on that side.”

Strip away the ethical dimension and you’re competing against operators who understand growth, optimization, and customer success. They iterate faster than traditional enterprises. They adopt new technologies quickly. They optimize religiously.

The question for defenders isn’t “how do we build better walls?” It’s “how do we compete against a sophisticated business operation that happens to be illegal?”

Allure Security’s answer: treat it like the business competition it actually is. Understand their economics. Break their business model. Make attacking your clients more expensive than attacking someone else’s.

The criminals treat this as a business. Maybe it’s time all defenders did too.