Microsoft has discovered a large-scale, well-organized and sophisticated Phishing as a Service (PhaaS or Phishing as a Service) operation, according to its own Microsoft 365 Defender Threat Intelligence Team.
The platform discovered allows users who want to carry out a cybercrime personalize campaigns and develop their own phishing strategies. In fact, for this, this PhaaS platform has phishing kits, email templates and hosting services necessary to launch the attacks.
Researchers at Microsoft found that the marketer of these phishing services as a service is BulletProofLink, which is believed to be is responsible for many of the phishing campaigns that affect businesses today being those who offer the main materials for attackers to act. In the typical “About us” section, this group claims that it has been active since 2018 and prides itself on its unique services for each “dedicated spammer”.
What’s on the platform
On the platform you can find, for example, 100+ available phishing templates that mimic well-known brands or services (including Microsoft itself as you can see in the following image) to later use them to steal user information.
This case has only been reported, but not stopped. “At the time of writing this report, BulletProofLink continues to run active phishing campaigns, with high volumes of redirects to its password processing links. from legitimate web hosting providers “, they explain from Microsoft.
An interesting aspect of the campaign that caught the attention of the experts was the use of a technique called “infinite subdomain abuse”, which occurs when attackers compromise the DNS of a website or when a compromised site is configured with a DNS which allows wildcard subdomains. The “infinite subdomains” allow attackers to use a unique URL for each recipient and they only have to buy or commit a domain for weeks.
What PhaaS Providers Can Offer
It’s worth noting that some Phishing as a Service groups can offer the entire service: from template creation, hosting, and general orchestration. On the other hand, Microsoft explains that many phishing service providers offer a solution of hosted scam pages they call “FUD” links or “totally unnoticed” links, a marketing term used by these operators to try to provide assurance that links are viable until users click on them.
These phishing service providers host the links and pages and the attackers who pay for these services simply receive the stolen credentials later. Unlike certain ransomware operations, attackers do not gain access to devices directly, but are limited to receiving stolen and unverified credentials from the group from which they contract the services.
In the case of this campaign discovered by Microsoft, the hosting service includes a weekly shipment of records to clients and it is usually sent manually in ICQ or email.
Terms you should know about phishing as a service
To understand how this PhaaS technique works its good to know certain terms and its definitions:
- Phishing Kits: Refers to kits sold through vendors and resellers. These are packaged files, usually in ZIP, that come with out-of-the-box email phishing templates, designed to evade detection by security programs, and are often accompanied by a portal that can be accessed they. Phishing kits allow customers to set up websites and purchase domain names. Alternatives to phishing kits or templates also include templates for the emails themselves, which customers can customize and configure for delivery. An example of a known phishing kit is the MIRCBOOT Phishing Kit.
- Phishing as a Service. For security experts it is similar to Ransomware as a service (RaaS), remaining the typical software-as-a-service model. In other words, it requires attackers to pay an operator to develop and deploy complete phishing campaigns, so that they can be personalized and the attacker can choose the services that interest him. You can choose to develop fake login pages, host websites, and analyze and redistribute credentials.