22 September 2021

Microsoft shares details on huge BulletProofLink PHaaS


Microsoft shares details on huge BulletProofLink PHaaS

Microsoft security team has shed some light on a large-scale phishing-as-a-service (PhaaS) operation that provides phishing kits, email templates, hosting, and automated services to cybercriminals.

Known as BulletProofLink, BulletProftLink or Anthrax, the group has been active since 2018 and is currently advertising its services on underground hacker forums. BulletProofLink hosts multiple sites, including an online store where they allow their customers to register, sign in, and advertise their hosted service for monthly subscriptions.

The BulletProofLink site lists an array of services along with corresponding fees. The monthly service costs as much as $800 paid in cryptocurrency, mainly bitcoin, while other services cost about $50 dollars for a one-time hosting link. The BulletProofLink gang also provides customer support services via Skype, ICQ, forums, and chat rooms.

The operators offer over 100 templates and operate with a highly flexible business model, which allows customers to buy the phishing pages and distribute phishing emails themselves. The customers can also control the password collection by registering their own landing pages or using the BulletProofLink’s hosted links as the final site where potential victims enter their credentials.

“With phishing kits, it is trivial for operators to include a secondary location for credentials to be sent to and hope that the purchaser of the phish kit does not alter the code to remove it. This is true for the BulletProofLink phishing kit, and in cases where the attackers using the service received credentials and logs at the end of a week instead of conducting campaigns themselves, the PhaaS operator maintained control of all credentials they resell,” Microsoft said.

“In both ransomware and phishing, the operators supplying resources to facilitate attacks maximize monetization by assuring stolen data, access, and credentials are put to use in as many ways as possible. Additionally, victims’ credentials also likely to end up in the underground economy. For a relatively simple service, the return of investment offers a considerable motivation as far as the email threat landscape goes.”


Back to the list

Latest Posts

LightBasin hackers compromised 13 global telecoms in just two years

LightBasin hackers compromised 13 global telecoms in just two years

LightBasin is active since at least 2016 and is focused on Linux and Solaris servers, only interacting with Windows systems as needed.
20 October 2021
Suspected Chinese hackers reportedly hit 9 Israeli hospitals

Suspected Chinese hackers reportedly hit 9 Israeli hospitals

Attempted attacks come days after a massive ransomware attack on Hillel Yaffe Medical Center, attributed to the DeepBlueMagic group.
19 October 2021
State-sponsored hackers target orgs in South Asia with custom backdoor

State-sponsored hackers target orgs in South Asia with custom backdoor

Harvester has been observed using both custom malware and publicly available tools, such as Cobalt Strike Beacon and Metasploit, in their attacks.
19 October 2021