To pull off successful phishing in the past, attackers need decent technical skills and must put in some work. This was a barrier to entry for would-be cybercriminals.
However, with the advent of phishing-as-a-service (PhaaS), any malicious actor now has the means of executing sophisticated phishing attacks against various targets.
Despite the publicity, phishing remains a major way through which cybercriminals compromise organizations’ systems.
Phishing-as-a-service provides low-cost and easy-to-use access to phishing tools and kits.
In order to properly understand phishing-as-a-service, we’ll discuss the activities of a phishing-as-a-service provider exposed by Microsoft in a recent blog post.
The Phishing as a Service
Microsoft office 365 security researchers came across a large-scale phishing campaign that involved over 300,000 subdomains in its various attacks. The underlying phishing-as-a-service provider for these attacks was discovered to be BulletProofLink which is believed to have been operating since 2018.
The operators behind the phishing service openly advertise their services on websites/social media using promotional materials. These services aid attackers in outsourcing parts or all of their phishing campaigns to third parties.
BulletProofLink also known as Anthrax, offers both a one-off service and subscription-based model for their customers.
It also provides more than 100 phishing templates for Brands and online services to help customers to steal credentials from unsuspecting businesses.
Attackers no longer need to clone websites and email on their own because of the proliferation of done-for-you phishing services that boasts a large selection of emails and fake sign-in pages.
BulletProofLink Services
The cost of BulletProofLink’s phishing service ranges from $50 for a one-time hosting link and as much as $800 for a monthly subscription.
Researchers discovered that BulletProofLink didn’t just make money by selling kits and services, they also received a copy of stolen data that their clients get in a process known as double extortion or double theft.
Bitcoin is used as a payment method on bulletproof’s website and they offer customer support via Skype, ICQ, forums, and chat rooms.
Phishing Templates
Customers can purchase phishing templates from BulletProofLink that will be self-hosted and sent to a custom email target list. In this case, the client is in charge of directly collecting stolen login details.
For customers who want a more complete service, this phishing-as-a-service provider can host the malicious link and collect victims’ credentials before forwarding the logs to subscribers via ICQ or email.
Bulletproof email and hosting templates are designed to evade anti-phishing security systems. They also host a large array of phishing kits which makes detection more challenging as they cannot be identified with just one phishing signature.
Phishing Kits
Phishing kits are phishing materials and tools that are sold by cybercriminals and resellers to potential attackers. The kits contain packages that include already developed websites, documents, and email templates.
Attackers use the kit to set up their own phishing websites on purchased domains. The kits are made available as a one-time download or via a web portal provided by the PhaaS operators.
In phishing-as-a-service, attackers pay the controllers to get the necessary kit for a phishing campaign.
Service providers who offer the complete package of hosting and data collection are also popular with customers.
Anti-Security Features of BulletProofLink Services
BulletProofLink services use some interesting techniques in their phishing kits. These include:
1. The infinite Subdomain Abuse: This is a method by which the compromised DNS of a website can be configured for wildcard subdomain creation. This means that an attacker can create multiple unique URLs for each phishing email recipient while only being in control of one domain. Anti-phishing software that relies on matching exact URL or domain finds it challenging to detect this pattern of attack.
2. Zero-point Font: Bulletproof link phishing email kits also make use of the Zero-font technique for evading anti-malware. In this method, random characters are inserted between words that are likely to be flagged by antivirus. But these characters are reduced to zero font so they are invisible to readers but can throw off email scanners.
Protecting Your Organization from Phishing as a Service
• Set up anti-phishing policies for your organization and enforce them
• Install anti-phishing solutions to block malicious email
• Configure the highest security settings for your email provider
• Enable link scanning tools such as SafeLinks to scan for malicious emails
• Train employees to spot and report phishing emails
Phishing attacks will continue to increase as they become easier to deploy thanks to phishing-as-a-service providers. Maintaining a secure working environment is challenging because of the evolving threat landscape. SDTEK can help your business deploy strong security solutions to protect it against phishing. Get in touch today to discuss your options.
