Microsoft has revealed the details of a large phishing-as-a-service (PHaaS) operation that sells phishing kits, email templates, hosting, and automated services at a low price, allowing cybercriminals to buy and execute phishing operations with minimum effort.
According to a report by Microsoft 365 Defender Threat Intelligence Team released on Tuesday, the BulletProofLink organization is responsible for many of the phishing operations that affect businesses today, with over 100 accessible phishing templates that imitate well-known companies and services.
BulletProofLink (also known as BulletProftLink or Anthrax) is leveraged by various attacker groups in one-time or monthly subscription-based business models, providing constant cash to its operators.
Microsoft disclosed that the activity was discovered after examining a credential phishing campaign that employed the BulletProofLink phishing kit on attacker-controlled sites or sites offered by BulletProofLink as part of their service. OSINT Fans were the first to reveal the operation’s existence in October 2020.
Phishing-as-a-service is not the same as traditional phishing kits. The traditional ones are offered as one-time fees for access to pre-packaged email phishing templates. On the other hand, PHaaS are subscription-based and follow the software-as-a-service paradigm, with built-in site hosting, credential theft, and email delivery added to the capabilities.
It is believed that BulletProofLink has been active since 2018. The more concerning thing is that the stolen credentials are transmitted to attackers and BulletProofLink operators, employing a strategy known as “double theft,” which is similar to ransomware groups’ double extortion assaults.
With BulletProofLink phishing kits, operators may easily incorporate a backup place for credentials to be transmitted and expect that the phishing kit’s buyer does not change the code to remove it.
The PHaaS operator kept custody of all credentials they resold in situations when attackers employing the service got credentials and logs at the end of a week instead of running campaigns themselves.