An investigation led Microsoft to a phishing-as-a-service operation known by the name BulletProofLink. Before we get into the details of the phishing scam, let us know what is phishing?
Phishing is a kind of cybercrime wherein the criminals pose as someone representing a trustworthy source and then tempting the victim to divulge the passwords, username, and other credentials. Phishing has been there for quite some time now, but the modus operandi has evolved over the years with an effort to make it foolproof.
Let us find out how the Microsoft Phishing scam was unraveled during the investigation of phishing attacks by Microsoft.
Phishing-as-a-service operation – Microsoft’s chase
The corporate tech stalwart said that it spotted the BulletProofLink, which is also known by the name BulletProftLink and Anthrax while investigating the phishing attacks that took place of late. The one acting behind the scene here extends or sells phishing kits, automated, hosting services aside from email templates operating under a single payment subscription or a monthly based one.
The Microsoft 365 Defender Threat Team said that they came across this campaign where a huge volume of unique and new subdomains was found, with over 3000,000 in a “single run“.
How does BulletProofLink operate?
With more than 100 phishing templates available, they mimic some of the well-known brands and services and their activities have adversely impacted the operations of a considerable number of enterprises today.
OSINT Fans brought the activities of the BulletProofLink to everyone’s notice in October 2020 by publishing 3-part series wherein the inner workings of this particular PhaaS operation were revealed.
They also revealed that then, BulletProofLink ICQ group chat already had as many as 1,618 members in 2020 and these members all dealt with stolen passwords and Bulletproftlink phishing services.
Double theft used for enhancing profits
Aside from the Phishing attack and what activities Microsoft Phishing email and more has revealed, the threat actor also indulged in so-called double theft so that it could earn more in profits by illegal means.
This is the same tactic that the ransomware gang adopts. The double theft here refers to a strategy when credentials are stolen in phishing attacks, and they are sent to another server (the secondary server) that is controlled by the operators running the PhaaS operation where phishing kits provided by them are used a default configuration.
In this way, the credentials that are collected by BulletProofLink clients are sent to PhaaS operators if the cybercriminals that are using their services fail to customize the phish kits to their servers.
In case of ransomware and phishing attacks, the BulletProofLink operators that provide the resources for facilitating the attacks also ensure that the stolen credentials and data obtained can be used in the maximum ways possible said Microsoft.
Understanding how phishing scams work
Just as any legally operating business outsources some of the operations and services to a third party, even cybercriminals outsource their work. Cybercrime has become a bigger sect these days with expanding malware, phishing campaigns, and ransomware.
In any PhaaS business, the attackers hire the services of an operator so that the operator can develop and use a campaign partially or wholly. The package will have items like redistribution and credential parsing, phony sign-in pages, and website-related hoax services.
As mentioned above, BulletProofLink has been active since 2018 and has its own About Us page. It uses BulletProofLink, BulletProftLink, and Anthrax interchangeably.
