Microsoft security team has shed some light on a large-scale phishing-as-a-service (PhaaS) operation that provides phishing kits, email templates, hosting, and automated services to cybercriminals.

Known as BulletProofLink, BulletProftLink or Anthrax, the group has been active since 2018 and is currently advertising its services on underground hacker forums. BulletProofLink hosts multiple sites, including an online store where they allow their customers to register, sign in, and advertise their hosted service for monthly subscriptions.

The BulletProofLink site lists an array of services along with corresponding fees. The monthly service costs as much as $800 paid in cryptocurrency, mainly bitcoin, while other services cost about $50 dollars for a one-time hosting link. The BulletProofLink gang also provides customer support services via Skype, ICQ, forums, and chat rooms.

The operators offer over 100 templates and operate with a highly flexible business model, which allows customers to buy the phishing pages and distribute phishing emails themselves. The customers can also control the password collection by registering their own landing pages or using the BulletProofLink’s hosted links as the final site where potential victims enter their credentials.

“With phishing kits, it is trivial for operators to include a secondary location for credentials to be sent to and hope that the purchaser of the phish kit does not alter the code to remove it. This is true for the BulletProofLink phishing kit, and in cases where the attackers using the service received credentials and logs at the end of a week instead of conducting campaigns themselves, the PhaaS operator maintained control of all credentials they resell,” Microsoft said.

“In both ransomware and phishing, the operators supplying resources to facilitate attacks maximize monetization by assuring stolen data, access, and credentials are put to use in as many ways as possible. Additionally, victims’ credentials also likely to end up in the underground economy. For a relatively simple service, the return of investment offers a considerable motivation as far as the email threat landscape goes.”