Cybersecurity researchers at Microsoft have uncovered a massive underground operation called BulletProofLink that offers phishing-as-a-service, or PhaaS, to cyber criminals. With cyber crimes on the rise in recent years, phishing and ransomware attacks have become the go-to methods for most criminals looking to make a quick buck from cyber attacks. While phishing kits are nothing new, the phishing-as-a-service offering is a novelty and is likely to become a serious cause for concern for law-enforcement agencies as it significantly lowers the bar to effective phishing attacks.
Many high-profile phishing attacks have taken place in recent times, including the massive Spear phishing attack last year that launched a huge bitcoin scam on Twitter. Crystal Dynamics, developer of Marvel's Avengers, also warned people of a phishing scam that resulted in many job seekers unknowingly handing over personal information to cyber-criminals for non-existent jobs. Phishers have also launched a number of attacks designed to take advantage of the pandemic. A case in point are the myriad COVID-19-themed emails that spoofed the World Health Organization (WHO) as well as several state and national health agencies, including the British NHS.
According to a blog post from the Microsoft 365 Defender Threat Intelligence Team, BulletProofLink is a large-scale phishing-as-a-service operation that not only sells phishing kits and email templates to facilitate phishing attacks, but also provides hosting and other automated services. Prices start at just $50 for a one-time hosting link and goes up to $800 for the monthly service. The operators behind the service are reportedly offering more than 100 phishing templates that mimic known brands and services and is responsible for many of the phishing attacks that have impacted companies recently.
PhaaS Makes Phishing Easy
Microsoft further says that the managed phishing services make it inordinately easy for attackers to purchase phishing campaigns and deploy them at scale. According to the company, the PhaaS operations are giving rise to new phishing techniques like 'double theft' whereby the stolen credentials are sent to both the phishing-as-a-service operator as well as their customers, helping them monetize their service on multiple fronts. Per the researchers, phishing-as-a-service is similar to ransomware-as-a-service (RaaS), both of which follow the software-as-a-service (SaaS) model. As part of the plan, attackers pay the service provider to develop and deploy phishing campaigns either partly or fully. The services include "false sign-in page development, website hosting, and credential parsing and redistribution." However, unlike RaaS operations, the cyber criminals do not gain access to the victims' devices with PhaaS, but get stolen credentials which may or may not be of any value instead.
Not all PhaaS operators offer the same services to their clients. While some have the wherewithal and capability to offer the whole deal, including template creation, hosting, and overall orchestration, others may only offer some of these services. As for the BulletProofLink group, it is one of the full-service PhaaS operators and claims to have been active since 2018. It operates under various names, including BulletProftLink, BulletProofLink, and Anthrax, and there are even YouTube and Vimeo pages with instructional advertisements. As explained by Microsoft, the group even offers a 10-percent 'welcome discount' on the first order when the customer signs up to the newsletter.
Source: Microsoft