Microsoft analyzes the phishing operation as a service


Anti-phishing, DMARC, Cybercrime, Cybercrime as-a-service

Researchers say BulletProofLink subscription offers many services

Doug Olenick (Doug Olenick) •
September 22, 2021

BulletProofLink’s “About Us” page provides potential customers with an overview of its services. (Source: Microsoft)

Microsoft Security released a detailed report on Tuesday report on a massive phishing-as-a-service operation called BulletProofLink which offered all the tools needed to run a campaign as a subscription.

See also: Live Webinar | Lock in the hybrid workforce with XDR

The Phishing-as-a-Service, or PHaaS, model differs from the phishing kits that many gangs have used in that it is larger and handles many small details that might confuse a less tech-savvy attacker.

“It should be noted that some PhaaS groups may offer the entire offering – from model building to hosting and overall orchestration, which makes it an attractive business model for their clientele,” explains l Microsoft 365 Defender Threat Intelligence team.

The breadth of services offered is the main differentiator between the kits and the subscription model.

Comparison of features between phishing kits and phishing-as-a-service (Source: Microsoft)

“At the time of writing, BulletProofLink continues to run active phishing campaigns, with high volumes of redirects to their password processing links from legitimate web hosting providers. In the next section, we are describing such a campaign, ”Microsoft said.

Explode BulletProofLink

BulletProofLink has been operating since 2018 under various names, including BulletProftLink and Anthrax, and operates instructional sites on YouTube and Vimeo, according to Microsoft. The gang operates like a legitimate business, offering chat support and even a 10% discount for new customers.

“BulletProofLink additionally hosts several sites, including an online store where they allow their customers to sign up, login and publish their hosted service for monthly subscriptions,” Microsoft said.

BulletProofLink offers customers over 100 email templates to choose from, according to Microsoft, well-known logos and brands for social engineering purposes. It indicates that the “customers” buy the pages, send the emails, and are responsible for collecting the stolen credentials, using either their landing pages or those provided by BulletProofLink.

“The templates are designed to escape detection during a successful phishing for credentials, but may vary depending on the individual buyer,” Microsoft explains. “

The PHaaS provider makes sure every campaign looks different but, Microsoft notes, the code, PHP password processing sites, and hosting infrastructure all correlate with BulletProofLink.

BulletProofLink offers a menu of services, all with corresponding fees, and a monthly subscription to the service can cost $ 800, according to Microsoft. Other services cost around $ 50 for a single hosting link, he adds.

Bitcoin is a popular payment method accepted on the BulletProofLink site, and communication with customers is typically handled through Skype, ICQ, forums, and chat rooms.

BulletProofLink campaign details

Microsoft was able to dive deep into BulletProofLink after stumbling across a campaign while investigating a phishing attack. The campaign Microsoft studied was remarkable, according to the company, because it used more than 300,000 subdomains, a key indicator of the use of a BulletProofLink phishing kit.

“An interesting aspect of the campaign that caught our attention was its use of a technique we call ‘infinite subdomain abuse’, which occurs when attackers compromise a website’s DNS or when a site compromise is configured with a DNS that allows generic subdomains, “Microsoft said.

“The ‘infinite subdomains’ allow attackers to use a unique URL for each recipient while having only to buy or compromise a domain for weeks.”

Microsoft claims that this technique is gaining popularity among phishing attackers because:

  • It eliminates the need for an attacker to obtain large sets of single-use domains;
  • It allows phishing operators to maximize the unique domains they can use by configuring dynamically generated subdomains as the base domain prefix for each individual email;
  • Creating unique URLs poses a challenge to mitigation and detection methods that rely solely on the exact match of domains and URLs.

No honor among thieves

Microsoft has also discovered that BullletProofLink often steals its customers by adding code to the sold or rented phishing kit that sends the stolen credentials to a secondary location that it controls, not the customer.

BulletProofLink can then resell the links stolen by their client to gangs seeking to carry out ransomware or other attacks for which credentials are required for initial access.

Leave A Reply

Your email address will not be published.