Microsoft has opened the lid on a large-scale phishing-as-a-service (PHaaS) operation that is concerned in promoting phishing kits and e-mail templates in addition to offering internet hosting and automatic companies at a low value, thus enabling cyber actors to buy phishing campaigns and deploy them with minimal efforts.
“With over 100 out there phishing templates that mimic recognized manufacturers and companies, the BulletProofLink operation is answerable for most of the phishing campaigns that influence enterprises at present,” Microsoft 365 Defender Menace Intelligence Crew said in a Tuesday report.
“BulletProofLink (additionally known as BulletProftLink or Anthrax by its operators in varied web sites, adverts, and different promotional supplies) is utilized by a number of attacker teams in both one-off or month-to-month subscription-based enterprise fashions, creating a gradual income stream for its operators.”
The tech big mentioned it uncovered the operation throughout its investigation of a credential phishing marketing campaign that used the BulletProofLink phishing package on both on attacker-controlled websites or websites supplied by BulletProofLink as a part of their service. The existence of the operation was first made public by OSINT Fans in October 2020.
Phishing-as-a-service differs from conventional phishing kits in that not like the latter, that are offered as one-time funds to achieve entry to packaged recordsdata containing ready-to-use e-mail phishing templates, they’re subscription-based and comply with a software-as-a-service mannequin, whereas additionally increasing on the capabilities to incorporate built-in website internet hosting, e-mail supply, and credential theft.
Believed to have been lively since at the least 2018, BulletProofLink is thought to function a web-based portal to promote their toolset for as a lot as $800 a month and permit cybercrime gangs to register and pay for the service. Prospects also can avail of a ten% low cost ought to they choose to subscribe to their e-newsletter, to not point out pay wherever between $80 to $100 for credential phishing templates that permit them to steal credentials entered by unsuspected victims upon clicking a malicious URL within the e-mail message.
Troublingly, the stolen credentials should not solely despatched to the attackers but in addition to the BulletProofLink operators utilizing a way known as “double theft” in a modus operandi that mirrors the double extortion assaults employed by ransomware gangs.
“With phishing kits, it’s trivial for operators to incorporate a secondary location for credentials to be despatched to and hope that the purchaser of the phish package doesn’t alter the code to take away it,” the researchers mentioned. “That is true for the BulletProofLink phishing package, and in instances the place the attackers utilizing the service acquired credentials and logs on the finish of per week as an alternative of conducting campaigns themselves, the PhaaS operator maintained management of all credentials they resell.”