Pierluigi Paganini September 23, 2021

Microsoft uncovered a large-scale phishing-as-a-service operation, dubbed BulletProofLink, that enabled threat actors to easily carry out malicious campaigns.

Microsoft researchers have uncovered a large-scale phishing-as-a-service (PHaaS) operation, dubbed BulletProofLink (aka Anthrax), that offers to its customers phishing kits, email templates, and hosting and automated services to carry out phishing attacks. BulletProofLink service was very cheap and allowed threat actors to arrange phishing campaigns without specific technical capabilities.

Microsoft uncovered the operation during its investigation of a phishing campaign that was using a BulletProofLink phishing kit on either on attacker-controlled sites or sites provided by BulletProofLink as part of their PaaS service. The operation was first documentedby OSINT Fans in October 2020.

BulletProofLink operation provides over 100 phishing templates that mimic popular brands and services, experts estimated that it is responsible for many of the phishing campaigns that hit enterprises today.

BulletProofLink has been active since 2018, it was used by multiple threat actors in either one-off or monthly subscription-based business models.

BulletProofLink operate an online store to advertise their service that goes for as much as $800 a month, the group also offers a 10% welcome discount on customers’ orders if they subscribe to their newsletter.

One of the interesting aspects of this large-scale phishing campaign was called by Microsoft experts “double theft,,” it refers to a tactic where credentials stolen in phishing attacks by the customers of the service are also sent to a server controlled by PhaaS operators if they use a phishing kit in its default configuration.

The double theft tactic allows the PhaaS operators to maximize their profits, the operators also earn selling victims’ credentials in the cybercrime underground

“With phishing kits, it is trivial for operators to include a secondary location for credentials to be sent to and hope that the purchaser of the phish kit does not alter the code to remove it. This is true for the BulletProofLink phishing kit, and in cases where the attackers using the service received credentials and logs at the end of a week instead of conducting campaigns themselves, the PhaaS operator maintained control of all credentials they resell.” concludes Microsoft. “In both ransomware and phishing, the operators supplying resources to facilitate attacks maximize monetization by assuring stolen data, access, and credentials are put to use in as many ways as possible. Additionally, victims’ credentials also likely to end up in the underground economy.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]