Monday, October 25, 2021

How a phishing-as-a-service operation works

One of the reasons phishing is still a major tactic used by attackers is that it’s so easy to get started thanks to phishing-as-a-service (PhaaS) offerings by cybercrooks.

Microsoft has released a report on one of them, called BulletProofLink, which sells phishing kits, email templates, hosting, and automated services at a relatively low cost.

“With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today,” the report says.

“BulletProofLink (also referred to as BulletProftLink or Anthrax by its operators in various websites, ads, and other promotional materials) is used by multiple attacker groups in either one-off or monthly subscription-based business models, creating a steady revenue stream for its operators.”

The report also warns that PhaaS operations include the “double theft” of stolen credentials: Captured usernames and passwords are sent to both the phishing-as-a-service operator and the cybercrooks who buy the service.

As an example of what can be bought, the report includes a screenshot of a BulletProofLink product page offering a realistic-looking but fake Microsoft Office 365 login page for US$100, a fake login page for the DHL courier service for US$100 and a fake DocuSign page for US$80.

Screenshot of phishing templates being sold by BulletProofLink

(Image by Microsoft)

As with ransomware-as-a-service, PhaaS operations allow attackers to buy large portions of or complete phishing campaigns, including false sign-in page development, website hosting, and credential parsing and redistribution.

Many phishing service providers also offer a hosted scam page solution they call “FUD” Links or “Fully undetected” links, says the report, which are viable until users click them. Attackers who pay for these services receive the stolen credentials later on.

To help their customers, BulletProofLink or its aliases offer YouTube and Vimeo pages with instructional advertisements as well as promotional materials on forums and other sites. Customers can communicate through Skype, ICQ, forums, and chat rooms. It also offers a 10 per cent welcome discount on customers’ orders when they subscribe to their newsletter.

To build resilience against phishing attacks in general, the report says infosec teams should use anti-phishing policies to enable mailbox intelligence settings, as well as configure impersonation protection settings for specific messages and sender domains. Microsoft also strongly urges organizations to adopt multifactor authentication to prevent stolen credentials from being abused.

 

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News