Microsoft Security have issued a detailed report on a massive phishing-as-a-service operation named BulletProofLink that offered as a subscription all the tools needed to conduct a campaign. The phishing-as-a-service, or PHaaS, model differs from the phishing kits that many gangs have used in that it is more expansive and handles many of the small details that could befuddle a less tech-savvy attacker.
“It’s worth noting that some PhaaS groups may offer the whole deal – from template creation, hosting, and overall orchestration, making it an enticing business model for their clientele,” says the Microsoft 365 Defender Threat Intelligence Team. The breadth of services offered is the primary differentiator between kits and the subscription model. “At the time of this report, BulletProofLink continues to operate active phishing campaigns, with large volumes of redirections to their password-processing links from legitimate web hosting providers In the next section, we describe on such campaign,” Microsoft says.
BulletProofLink has been operating since 2018 under various names, including BulletProftLink and Anthrax, and maintains instructional sites on YouTube and Vimeo, Microsoft says.
The gang operates as a legitimate business, offering chat support and even a 10% discount for new customers. “BulletProofLink additionally hosts multiple sites, including an online store where they allow their customers to register, sign in, and advertise their hosted service for monthly subscriptions,” Microsoft says.
BulletProofLink offers clients more than 100 email templates from which to choose that sport well-known logos and brands for social engineering purposes, according to Microsoft. It says “clients” buy the pages, ship the emails and are in charge of collecting the stolen credentials, using either their landing pages or those provided by BulletProofLink. “The templates are designed to evade detection while successfully phishing for credentials, but may vary based on the individual purchasing party,” Microsoft says. “
The PHaaS provider makes sure each campaign has a different appearance but, Microsoft notes, the code, PHP password processing sites and the hosting infrastructure all correlate back to BulletProofLink. BulletProofLink offers a menu of services, all with a corresponding fe , and a monthly service subscription can cost $800, Microsoft says. Other services cost about $50 for a one-time hosting link, it adds.
Microsoft was able to dive deeply into BulletProofLink after it stumbled across a campaign while investigating a phishing attack.
The campaign Microsoft studied was notable, the company says, because it used more than 300,000 subdomains, a key indicator that a BulletProofLink phishing kit was in use. “An interesting aspect of the campaign that drew our attention was its use of a technique we call ‘infinite subdomain abuse,’ which happens when attackers compromise a website’s DNS or when a compromised site is configured with a DNS that allows wildcard subdomains,” Microsoft says.
“‘Infinite subdomains’ allow attackers to use a unique URL for each recipient while only having to purchase or compromise one domain for weeks on end.”