Microsoft recently discovered a massive phishing-as-a-service operation called BulletProofLink, which provides phishing kits, email templates, hosting, and several other tools. It also explained how new cybercriminals could get into the business.
Microsoft’s team unearthed a large-scale, well-structured, and complex PhaaS (phishing-as-a-service) operation. The platform’s users are able to customize campaigns and create their own phishing schemes. Furthermore, the PhaaS platform provides its customers with everything they need to launch attacks: phishing kits, email templates, and hosting services.
According to Microsoft’s post, researchers discovered the operation, marketed as BulletProofLink, when they detected a large volume of newly created and unique subdomains (over 300,000 in a single run).
“This investigation led us down a rabbit hole as we unearthed one of the operations that enabled the campaign,” researchers wrote.
The BulletProofLink operation offers more than 100 phishing templates that impersonate big brands and services and is responsible for many of the phishing campaigns that hit companies today.
Phishing-as-a-Service – A Full-Scale Phishing Facilitator
BulletProofLink or Anthrax is a starting point for people with no significant resources to get into the phishing scene.
“According to the group’s About Us web page, the BulletProofLink PhaaS group has been active since 2018 and proudly boasts of their unique services for every ‘dedicated spammer,’” Microsoft said.
“The operators maintain multiple sites under their aliases, BulletProftLink, BulletProofLink, and Anthrax, including YouTube and Vimeo pages with instructional advertisements as well as promotional materials on forums and other sites. In many of these cases, and in ICQ chat logs posted by the operator, customers refer to the group as the aliases interchangeably.”
While some time ago, cybercriminals who wanted to launch phishing attacks had to create phishing emails and impersonate brands or people on their own, “the phishing landscape has evolved its own service-based economy,” researchers said. Now bad guys wannabe can just buy all the resources they need to launch phishing attacks without putting in too much time or effort, researchers said.
The platform offers its future phishers two essential tools to get into the phishing business: phishing kits and phishing-as-a-service. Microsoft explained what each of these is:
- Phish kits: Refers to kits that are sold on a one-time sale basis from phishing kit sellers and resellers. These are packaged files, usually a ZIP file, that come with ready-to-use email phishing templates designed to evade detection and are often accompanied by a portal with which to access them. Phish kits allow customers to set up the websites and purchase the domain names. Alternatives to phishing site templates or kits also include templates for the emails themselves, which customers can customize and configure for delivery. One example of a known phish kit is the MIRCBOOT phish kit.
- Phishing-as-a-service: Similar to ransomware-as-a-service (RaaS), phishing-as-a-service follows the software-as-a-service model, which requires attackers to pay an operator to wholly develop and deploy large portions or complete phishing campaigns from false sign-in page development, website hosting, and credential parsing and redistribution. BulletProofLink is an example of a phishing-as-a-service (PhaaS) operation.
A Deeper Dive Into Phishing-as-a-Service
Researchers analyzed BulletProofLink’s PhaaS operation in detail to discover how the cybercriminal group managed to create such a complex network of phishers.
The cybercriminal group explains on an “About Us” page on its website the services it offers, including the sale of a “unique scam page” as well as a monthly subscription service to set up a customer’s phishing campaign. Additionally, the group hosts various sites to cater to its customers, such as an online store where users can register, sign in and advertise their hosted service for monthly subscriptions.
Researchers added that the monthly service subscription costs $800, while other services cost approximately $50 for a one-time hosting link, with Bitcoin being a standard payment method on the BulletProofLink site.
“Just like any other service, the group even boasts of a 10% welcome discount on customers’ orders when they subscribe to their newsletter”.
BulletProofLink uses the phishing-as-a-service similarly to the RaaS model’s technique of double extortion, researchers noted.
In a ransomware attack, this strategy usually involves hackers stealing and publishing data in addition to encrypting them to put force organizations to pay the ransom, they added.
“We have observed this same workflow in the economy of stolen credentials in phishing-as-a-service. With phishing kits, it is trivial for operators to include a secondary location for credentials to be sent to and hope that the purchaser of the phish kit does not alter the code to remove it. This is true for the BulletProofLink phishing kit, and in cases where the attackers using the service received credentials and logs at the end of a week instead of conducting campaigns themselves, the PhaaS operator maintained control of all credentials they resell.”
“In both ransomware and phishing, the operators supplying resources to facilitate attacks maximize monetization by assuring stolen data, access, and credentials are put to use in as many ways as possible. Additionally, victims’ credentials are also likely to end up in the underground economy. For a relatively simple service, the return of investment offers considerable motivation as far as the email threat landscape goes,” researchers concluded.