BulletProofLink, a large-scale phishing-as-a-service (PhaaS) operation, offers over 100 phishing templates that imitate known brands and services, Microsoft revealed in its blog. Microsoft was one of the brands whose logo and branding were impersonated during the phishing campaign initiated using BulletProofLink. The operation sells phishing kits, email templates, hosting, and automated services at an affordable cost and is responsible for facilitating many phishing campaigns these days, the blog added.
The PhaaS was found to be the weapon of choice by multiple attacker groups who can buy it in either one-off purchase or pay a subscription fee every month to avail its services, the company added.
Cyber attacks are growing with each passing day, especially during the pandemic as COVID-19 lockdowns force a rapid adoption of digital tech. Phishing is a cyber attack that uses disguised email as a weapon and is notoriously difficult to sniff out, given its sophistication. Phishing attacks have increased by 600% during the pandemic. The consequences can be damaging in most cases as it results in violation of privacy and inflicts steep financial stress on people as well as businesses.
How does BulletProofLink operate?
The BulletProofLink PhaaS group became active in 2018 and operates under multiple aliases like BulletProftLink, BulletProofLink, and Anthrax. It also has instructional advertisements on YouTube and Vimeo, Microsoft revealed in its post.
- BulletProofLink registration and sign-in pages: The service hosts an online store where they allow their customers to register, sign in, and advertise their hosted service for monthly subscriptions. The group provides a 10% welcome discount on orders when customers subscribe to their newsletter, as per the post.
- Phishing templates: Operators offer over 100 templates developed to evade detection while successfully phishing for victims’ credentials, the blog said. Phishing campaigns initiated on these templates do not look identical.
- Customer hosting and support: The group’s operators provide a variety of services for a fee. The monthly service costs about $800, and Bitcoin is accepted as a payment method on the site. New and existing customers can interact with the group on Skype, ICQ, forums, and chat rooms for customer support services.
Difference between phishing kits and PhaaS
The blog explained that the phishing landscape has evolved into a service-based economy as compared to building phishing emails and brand-impersonating websites in the past. Now, criminals can simply initiate an attack by purchasing resources and infrastructure from groups such as BulletProofLink:
- Phish kits: These kits are sold on a one-time sale basis. They are packaged files, usually a ZIP file, that come with ready-to-use email phishing templates designed to evade detection and are often accompanied by a portal with which to access them. Phish kits allow customers to set up the websites and purchase the domain names, Microsoft stated.
- Phishing-as-a-service: It is akin to ransomware-as-a-service (RaaS), in which attackers pay an operator to wholly develop and deploy large portions or complete phishing campaigns from false sign-in page development, website hosting, and credential parsing and redistribution.
Double theft model
The PhaaS working model copies the RaaS model insofar as it involves double extortion. The extortion method used in ransomware follows the pattern of posting data publicly in addition to encrypting them on compromised devices, to put pressure on organizations to pay the ransom, Microsoft explained.
It is easy for PhaaS operators to include a secondary location to receive login credentials. This maximises monetisation of stolen data and credentials, and posts victims’ credentials on the dark web leaving them susceptible to more attacks.
- The company advised that users must have antivirus software installed on their devices.
- Organisations must use anti-phishing policies to enable mailbox intelligence settings, as well as configure impersonation protection settings for specific messages and sender domains.
- Users must enable multi-factor authentication and block sign-in attempts from legacy authentication.
Phishing attacks in India
As many as 83 percent of Indian organisations surveyed reported an increase in phishing attacks via emails during the pandemic according to a report by UK-based cybersecurity firm Sophos.
February 2021: Hindustan Times reported that a number of senior government officials, including those from the ministries of defence and external affairs, were targetted in a phishing campaign with attackers using compromised government domain email accounts to launch their hacking attempts. The National Informatics Centre (NIC) issued an alert soon after the attack but there was no confirmation whether any targetted computers were compromised.
March 2021: A response to a parliamentary question revealed that CERT-In, India’s nodal cyber security agency, was working with the Reserve Bank of India (RBI) and other banks to track and disable phishing websites in an effort to thwart online frauds.
July 2021: Researchers at Seqrite, the cybersecurity arm of Quick Heal Technologies, claimed that they found sophisticated phishing attempts targetting Indian critical infrastructure PSUs across sectors of finance, power, and telecom by a Pakistan-linked group. The PSUs were targetted to get access to sensitive information “including screenshots, keystrokes, & files from the affected system”.
July 2021: Kaspersky Internet Security found that India was among the top three countries facing phishing attacks primarily via instant mobile messaging apps like Facebook-owned WhatsApp and Telegram. Countries experiencing the highest number of phishing attacks were Russia (46 percent), Brazil (15 percent), and India (7 percent).
August 2021: CERT-In warned that scammers were targetting banking customers in India with a new type of phishing attack to collect sensitive information such as internet banking credentials, mobile numbers, and OTP to carry out fraudulent transactions. It said that the malicious activity was carried out using the ngrok platform (cross-platform application).
September 2021: Indian taxpayers were targeted with Elibomi, an Android malware, which stole their financial information in a phishing attack, according to McAfee’s Mobile Research team. The antivirus company disclosed that the attackers lure in unsuspecting users by pretending to be a fake tax-filing application.
- Phishing attack dupes Indian taxpayers and steals their financial information: Here’s how to avoid it.
- Report alleges phishing attempts by Pakistan-linked group on India’s power, finance, and telecom units
- CERT-In, RBI and banks working to track and disable phishing websites, says Anurag Thakur
- CERT-In warns of phishing campaign against Indian citizens, businesses; North Korean group may be behind the campaign
Have something to add? Post your comment and gift someone a MediaNama subscription.