On September 21, Microsoft’s security team announced that it has discovered a huge operation that delivers phishing services to cybercrime gangs via a hosting-like infrastructure that the OS maker equated to a Phishing-as-a-Service (PHaaS) model.
The service, known as BulletProofLink, or Anthrax, is now being promoted on underground cybercrime forums.
The service is an extension of “phishing kits,” which are compilations of phishing websites and templates that seem like login forms from well-known firms.
BulletProofLink takes this to the next level by including built-in hosting and email-sending capabilities.
Customers pay an $800 charge to register on the BulletProofLink site, and the BulletProofLink administrators manage everything else.
The part of the service includes establishing up a web page to host the phishing site, installing the phishing template itself, configuring domain (URLs) for the phishing sites, sending the actual phishing emails to desired victims, collecting credentials from attacks, and then delivering the stolen logins to “paying customers” at the end of the week.
If criminal networks wish to change up their phishing templates, the BulletProofLink group has a different marketplace where threat actors may buy new templates to utilise in their assaults for $80 to $100 per template.
According to The Record, there are approximately 120 distinct phishing templates accessible on the BulletProofLink shop now.
As per Microsoft, this method is increasing popularity among phishing attackers because:
- It removes the requirement for an attacker to get huge collections of single-use domains.
- It enables phishing operators to maximise the number of unique domains available to them by establishing dynamically created subdomains as a prefix to the base domain for every email.
- The generation of unique URLs presents a challenge to mitigation and detection systems that depend only on exact domain and URL matching.
In addition, the website provides lessons to assist users in using the service.
However, Microsoft researchers discovered that the business has also been robbing its own clients by storing duplicates of all acquired credentials, which the group is suspected to commercialize later by selling the credentials on underground markets.
Microsoft summed up the complete operation as technically complex, with the group frequently hosting its phishing websites to hacked sites.
In certain cases, the BulletProofLink gang was seen manipulating the DNS records of compromised sites to create subdomains on trustworthy sites to host phishing pages.
Microsoft stated, placing the BulletProofLink PHaaS in context, “In researching phishing attacks, we came across a campaign that used a rather high volume of newly created and unique subdomains—over 300,000 in a single run.”