Microsoft warns of a large-scale phishing-as-a-service operation

The BulletProofLink operation runs an online portal, where customers can access services including hosting, templates and email campaigns

Researchers at Microsoft have detailed an extensive phishing-as-a-service (PHaaS) operation that not only sells phishing kits and email templates, but also provides criminals with hosting and other automated services.

Dubbed BulletProftLink, BulletProofLink or Anthrax, the service is thought to have been active since at least 2018.

'In researching phishing attacks, we came across a campaign that used a rather high volume of newly created and unique subdomains - over 300,000 in a single run,' Microsoft researchers wrote.

'This investigation led us down a rabbit hole as we unearthed one of the operations that enabled the campaign: a large-scale phishing-as-a-service operation called BulletProofLink, which sells phishing kits, email templates, hosting, and automated services at a relatively low cost.'

BulletProofLink is known to run an online portal, where customers can register by paying a fee of $800 (about £585). After the payment is confirmed, operators handle everything else so customers can deploy a campaign with minimal efforts.

The services the group provids include hosting the phishing site, installing the phishing template, and even sending fraudulent emails to potential targets.

Operators also collect victims' credentials after a successful attack and deliver them to the PHasS customer.

The group offers more than 100 phishing templates that mimic known services and brands. It also runs a separate store offering new templates, with prices ranging from $80 to $100 per each new template.

According to Microsoft, BulletProofLink operators not only send stolen credentials to their subscribers, but also keep a copy of those credentials in a 'double theft' tactic that helps to boost profits. These credentials are later sold on underground marketplaces.

The group also uses an 'infinite subdomain abuse' technique, making it possible for the attackers to assign unique URLs to each phishing recipient, while only using a single domain.

The BulletProofLink threat actor was first seen last year. OSINT Fans, who spotted it, published a detailed post revealing some of the operation's inner workings. It claimed that the Bulletproftlink ICQ group chat had 1,618 members in 2020 - 'all potential buyers of the stolen passwords and the Bulletproftlink phishing services'.

PHaaS is similar to ransomware-as-a-service (RaaS), both following the software-as-a-service (SaaS) model.

The latest revelation about BulletProofLink's operations comes about three months after Microsoft's 365 Defender Research Team claimed that they had dismantled a sprawling Business Email Compromise (BEC) campaign, which was stealing financial details from victims' emails.

The scammers used a robust cloud system to compromise mailboxes via phishing and add email-forwarding rules, to access messages about financial transactions.

Last year, the FBI warned that BEC scammers were exploiting email auto-forwarding and cloud email services like Google G Suite and Microsoft Office 365 to steal confidential information from victims.