There's a new dangerous 'phishing as a service' enterprise, warns Microsoft

There’s a new dangerous ‘phishing as a service’ enterprise, warns Microsoft

Microsoft 365 Defender Threat Intelligence Team warns against a new dangerous ‘phishing as a service’ (PhaaS) criminal enterprise called BulletProofLink.

The tech company discloses details about a large-scale phishing operation while investigating recent campaigns against businesses.

According to their investigation BulletProofLink allegedly hosts and distributes tools and services that can be used for customer’s phishing campaigns.

Read:

Microsoft warns against a new ‘phishing as a service’ enterprise

BulletProofLink follows the legitimate software as a service business subscription model. But, according to Microsoft, BulletProofLink engages in the end-to-end development distribution of tools to run different phishing campaigns.

“In researching phishing attacks, we came across a campaign that used a rather high volume of newly created and unique subdomains—over 300,000 in a single run. This investigation led us down a rabbit hole as we unearthed one of the operations that enabled the campaign,” says Microsoft.

The said services include tools for creating false sign-in pages, credential redistribution, as well as web hosting.

Related: Hacker group attacks mobile phone website and steals customers’ credit card info

Microsoft warns against a new 'phishing as a service' enterprise
Microsoft warns against a new ‘phishing as a service’ enterprise

Standard phishing kits offer email and site templates that require a one-off payment only. However, this ‘phishing as a service’ or PhaaS is a subscription-based model that offers these services as a baseline.

Customers can opt for additional services in a modular way, this includes email delivery, credential theft, site hosting, and other services that automatically redistribute those stolen credentials to customers.

How does BulletProofLink do its business?

Now, what BulletProoflink’s clients do with these services is harvest user credentials instead to distribute malware or ransomware strains.

Additionally, operators keep a copy of those credentials that customers were able to steal through their campaigns. This will also be resold at a later stage.

“It’s worth noting that some PhaaS groups may offer the whole deal – from template creation, hosting, and overall orchestration, making it an enticing business model for their clientele,” said the Microsoft 365 Defender threat intelligence team.

“These phishing service providers host the links and pages and attackers who pay for these services simply receive the stolen credentials later on. Unlike in certain ransomware operations, attackers do not gain access to devices directly and instead simply receive untested stolen credentials.”

Researchers from Microsoft dug deep into BulletProofLink’s templates, services, as well as pricing structures, which apparently have been active since 2018.

They also maintain several sites under aliases including BulletPoftLink and Anthrax, alongside YouTube and Vimeo pages with instructional ads, and promotional contents that are hosted on external forums.

Its operation attempts to copy the behavior of legitimate businesses, like the registration, sign-in pages, and online store –– which can be used by other hackers to advertise their own services at a monthly subscription fee.

Furthermore, the group eve offers a 10% welcome discount for customers who will subscribe to BulletProofLink’s newsletter.

BulletProofLink’s monthly services range from $50 to $800, with most of the fees paid using Bitcoin. Also, the operators offer customer service support to both new and existing clients.

More tech news:

Leave a Reply

Your email address will not be published.