Microsoft researchers have explained that a large phishing-as-a-service (PHaaS) operation that not only sells phishing kits and email templates but also provides criminals with hosting and other automated services. Microsoft researchers wrote that ‘In researching phishing attacks, we came across a campaign that used a rather high volume of newly created and unique subdomains – over 300,000 in a single run.
Microsoft 365 Defender Threat Intelligence team reported that 100 phishing templates are available for mimic brands and services, the Bullet prooflink operation is responsible for many of the phishing campaign that affect the business today.
BulletProof link is otherwise known as Anthrax and run an online portal such as various websites, ads and other promotional materials, where customers can register by paying a fee of $800. After the payment is confirmed, operators handle everything to deploy a campaign with minimal efforts. This service have been active since atleast 2018.
According to Microsoft, BulletProofLink operators not only stolen credentials to their subscribers but also keep a copy of those credentials in a ‘double theft’ tactic that helps to boost profits. These credentials are later sold on underground marketplaces.
They used the new technique ‘Infinite Subdomain Abuse’ attackers have to assign unique URLs to each phishing recipient. OSINT Fans Published a detailed post as revealing about some of the operation’s inner workings. It claimed that the Bulletproftlink ICQ group chat had 1618 members in 2020.
PHaaS is similar to ransomware-as-a-service (RaaS), both following the software-as-a-service (SaaS) model.
“The phishing campaign also impersonated (albeit poorly) the Microsoft logo and branding. The impersonation technique used solid colors for the logo, which may have been done intentionally to bypass detection of the Microsoft logo’s four distinct colors. It is worth noting that later iterations of the campaign have switched to using the four colors in the Microsoft logo.” reads the blogpost.
Unlike traditional phishing kits, which are sold as one-time payments to gain access to packaged files containing ready-to-use email phishing templates, phishing-as-a-service is subscription-based and follows a software-as-a-service model, while also expanding on the capabilities to include built-in site hosting, email delivery and credential theft.
“To build resilience against phishing attacks in general, organizations can use anti-phishing policies to enable mailbox intelligence settings, as well as configure impersonation protection settings for specific messages and sender domains. Enabling SafeLinks ensures real-time protection by scanning at time of delivery and at time of click.” reads the blogpost.
Last year, the FBI warned that BEC scammers were exploiting email auto-forwarding and cloud email services like Google G Suite and Microsoft Office 365 to steal confidential information from victims.
Cyberworkx news readers can find the IOC’s of this phishing campaign from here.