Jump to content
  • Microsoft Warns of a Wide-Scale Phishing-as-a-Service Operation

    aum

    • 474 views
    • 3 minutes
     Share


    • 474 views
    • 3 minutes

    Microsoft has opened the lid on a large-scale phishing-as-a-service (PHaaS) operation that's involved in selling phishing kits and email templates as well as providing hosting and automated services at a low cost, thus enabling cyber actors to purchase phishing campaigns and deploy them with minimal efforts.

     

    "With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today," Microsoft 365 Defender Threat Intelligence Team said in a Tuesday report.

     

    "BulletProofLink (also referred to as BulletProftLink or Anthrax by its operators in various websites, ads, and other promotional materials) is used by multiple attacker groups in either one-off or monthly subscription-based business models, creating a steady revenue stream for its operators."

     

    The tech giant said it uncovered the operation during its investigation of a credential phishing campaign that used the BulletProofLink phishing kit on either on attacker-controlled sites or sites provided by BulletProofLink as part of their service. The existence of the operation was first made public by OSINT Fans in October 2020.

     

    phishing.jpg

     

    Phishing-as-a-service differs from traditional phishing kits in that unlike the latter, which are sold as one-time payments to gain access to packaged files containing ready-to-use email phishing templates, they are subscription-based and follow a software-as-a-service model, while also expanding on the capabilities to include built-in site hosting, email delivery, and credential theft.

     

    Believed to have been active since at least 2018, BulletProofLink is known to operate an online portal to advertise their toolset for as much as $800 a month and allow cybercrime gangs to register and pay for the service. Customers can also avail of a 10% discount should they opt to subscribe to their newsletter, not to mention pay anywhere between $80 to $100 for credential phishing templates that allow them to steal credentials entered by unsuspected victims upon clicking a malicious URL in the email message.

     

    Troublingly, the stolen credentials are not only sent to the attackers but also to the BulletProofLink operators using a technique called "double theft" in a modus operandi that mirrors the double extortion attacks employed by ransomware gangs.

     

    "With phishing kits, it is trivial for operators to include a secondary location for credentials to be sent to and hope that the purchaser of the phish kit does not alter the code to remove it," the researchers said. "This is true for the BulletProofLink phishing kit, and in cases where the attackers using the service received credentials and logs at the end of a week instead of conducting campaigns themselves, the PhaaS operator maintained control of all credentials they resell."

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...