In researching phishing assaults, we came across a campaign that used a rather high volume of newly created and unique subdomains–over 300,000 in a single run. This investigation contributed us down a rabbit pit as we unearthed one of the operations that enabled information campaigns: a large-scale phishing-as-a-service operation called BulletProofLink, which sells phishing kits, email templates, hosting, and automated services at a relatively low cost.

With over 100 available phishing templates that imitation known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today. BulletProofLink( also referred to as BulletProftLink or Anthrax by its operators in various websites, ads, and other promotional materials) is used by multiple attacker groups in either one-off or monthly subscription-based business simulates, creating a steady revenue stream for its operators.

This comprehensive research into BulletProofLink sheds a light on phishing-as-a-service runnings. In this blog, we expose how effortless it can be for attackers to purchase phishing campaigns and deploy them at scale. We likewise demonstrate how phishing-as-a-service procedures drive the proliferation of phishing techniques like “double theft”, a technique in which stolen credentials is submitted to both the phishing-as-a-service operator as well as their clients, ensuing in monetization on several fronts.

Insights into phishing-as-a-service operations, their infrastructure, and their evolution inform protections against phishing campaigns. The knowledge we gained during this investigation ensures that Microsoft Defender for Office 365 protects customers from information campaigns that the BulletProofLink operation enables. As part of our commitment to improve protection for all, we are sharing these findings so the broader community can build on them and use them to enhance email filtering regulations as well as threat detection engineerings like sandboxes to better catch these threats.

Understanding phishing kits and phishing-as-a-service( PhaaS)

The persistent onslaught of email-based threats continues to pose a challenge for network defenders because of improvements in how phishing strikes are crafted and distributed. Modern phishing attacks are typically facilitated by a large economy of email and false sign-in templates, code, and other assets. While it was once necessary for attackers to separately construct phishing emails and brand-impersonating websites, the phishing landscape has evolved its own service-based economy. Attackers who aim to facilitate phishing strikes may buy resources and infrastructure from other attacker groups including 😛 TAGEND

Phish kits: Refers to kits that are sold on a one-time sale basis from phishing kit sellers and resellers. These are packaged files, typically a ZIP file, that come with ready-to-use email phishing templates designed to evade detection and are often accompanied by a portal with which to access them. Phish kits allow customers to set up the websites and purchase the domain names. Alternatives to phishing website templates or kits also include templates for the emails themselves, which clients can customize and configure for delivery. One instance of a known phish kit is the MIRCBOOT phish kit. Phishing-as-a-service: Similar to ransomware-as-a-service( RaaS ), phishing-as-a-service follows the software-as-a-service model, which requires attackers to pay an operator to wholly develop and deploy large portions or complete phishing campaigns from false sign-in page development, website hosting, and credential parsing and redistribution. BulletProofLink is an example of a phishing-as-a-service( PhaaS) functioning.

Table showing differences between phishing kits and phishing-as-a-service

Figure 1. Feature comparison between phishing kits and phishing-as-a-service

It’s worth noting that some PhaaS groups may offer the whole deal–from template creation, hosting, and overall orchestration, building it an tempting business model for their clientele. Many phishing service providers offer a hosted swindle page solution they call “FUD” Links or “Fully undetected” connects, a marketing term used by these operators to try and provide assurance that the links are viable until consumers click them. These phishing service providers host the links and pages and attackers who pay for these services simply receive the stolen credentials later on. Unlike in certain ransomware runnings, attackers do not gained from devices directly and instead simply receive untested pilfer credentials.

Transgres down BulletProofLink services

To understand how PhaaS works in detail, we excavate deep into the templates, services, and pricing structure offered by the BulletProofLink operators. According to the group’s About Us web page, the BulletProofLink PhaaS group has been effective since 2018 and proudly boastings of their unique services for every “dedicated spammer”.

Screenshot of About Us page on the BulletProofLink website

Figure 2. The BulletProofLink’s’ About Us’ page furnishes potential customers an overview of their services.

The operators maintain multiple sites under their aliases, BulletProftLink, BulletProofLink, and Anthrax, including YouTube and Vimeo pages with instructional circulars as well as promotional materials on meetings and other websites. In many of these cases, and in ICQ chat logs posted by the operator, patrons refer to the group as the aliases interchangeably.

Screenshot of video tutorials posted by BulletProofLink

Figure 3. Video tutorials posted by the Anthrax Linkers( aka BulletProofLink)

BulletProofLink enrollment and sign-in pages

BulletProofLink additionally hosts multiple sites, including an online storage where they allow their customers to register, sign in, and advertise their hosted service for monthly subscriptions.

Over the course of monitoring this functioning, their online storage had undergone multiple revisions. The source code for the site’s pages contained references to artifacts elsewhere on the site, which included ICQ chat messages and circulars. While those references are still present in newer versions, the sign-in page for the monthly subscription site no longer contains service pricing knowledge. In previous versions, the sites alluded to the cost for the operator to host FUD links and return credentials to the buying party.

Screenshot of BulletProofLink registration page

Figure 4. BulletProofLink registration page

Just like any other service, different groups even boasts of a 10% welcome discount on customers’ orderings when they subscribe to their newsletter.

Screenshot of 10% discount offered to those who will sign up for newsletter

Figure 5. BulletProofLink welcome promotion for site visitors’ first order

Credential phishing templates

BulletProofLink operators give over 100 templates and operate with a highly flexible business model. This business simulate permits customers to buy the pages and “ship” the emails themselves and control the entire flow of password collecting by registering their own landing pages or make full use of the service by using the BulletProofLink’s hosted connections as the final website where potential victims key in their credentials.

The templates are designed to evade detection while successfully phishing for credentials, but may differ based on the individual purchasing party. Likewise, the great variety of templates offered does not guarantee that all BulletProofLink facilitated campaigns will seem identical. Instead, information campaigns themselves can be identified with a mixture of phishing page source code, combined with the PHP password processing sites referenced therein, as well as the hosting infrastructure is set out in their larger-scale campaigns. These password-processing domains correlate back to the operator through hosting, registration, email, and other metadata similarities during realm registration.

The templates offered are related to the phishing pages themselves, so the emails that service them may appear highly disparate and handled by multiple operators.

Service offered: Customer hosting and subsistence

The phishing operators list an array of services on their site together with the corresponding fees. As OSINT Fans noted in their blog, the monthly service expenses as much as $800, while other services expenditure about $50 dollars for a one-time hosting link. We also found that Bitcoin is a common pay technique accepted on the BulletProofLink site.

In addition to communicating with customers on site accounts, the operators display various methods of interacting with them, which include Skype, ICQ, forums, and chat rooms. Like a true-life software business dedicated to their customers, the operators furnish customer support services for current and new customers.

Screenshot of phishing templates being sold by BulletProofLink

Figure 6. Screenshot of the BulletProofLink site, which offers a wide array of phishing services impersonating various legitimate services

Screenshot of BulletProofLink website showing DocuSign services

Figure 7. DocuSign scam page service listed on the BulletProofLink site

The hosting service includes a weekly log shipment to buying parties, usually sent manually over ICQ or email. Analysis of individual activity on password-processing replies from the collected infrastructure indicates that the credentials are received on the initial template page and then sent to password-processing sites owned by the operator.

Screenshot of a BulletProofLink ad

Figure 8. An advertisement from BulletProofLink that showcases their weekly log shipment

At the time of this report, BulletProofLink continues to operate active phishing campaigns, with large volumes of redirections to their password-processing associates from legitimate web hosting providers. In the next segment, we describe on such campaign.

Tracking a BulletProofLink-enabled campaign

As mentioned, we uncovered BulletProofLink while investigating a phishing campaign that used the BulletProofLink phishing kit on either on attacker-controlled websites or websites provided by BulletProofLink as part of their service. The campaign itself was notable for its use of 300,000 subdomains, but our analysis exposed one of many implementations of the BulletProofLink phishing kit 😛 TAGEND

Diagram showing BulletProofLink-enabled attack chain

Figure 9. End-to-end attack chain of BulletProofLink-enabled phishing campaigns

An interesting facet of the campaign that describe our attention was its use of a technique we call “infinite subdomain abuse”, which happens when attackers compromise a website’s DNS or when a compromised site is configured with a DNS that allows wildcard subdomains. “Infinite subdomains” permit attackers to use a unique URL for each recipient while merely having to purchase or compromise one realm for weeks on end. It is gaining popularity among attackers for the following reasons 😛 TAGEND

It serves as a deviation from previous techniques that involved hackers securing large-scale determineds of single-use domains. To leverage infinite subdomains for use in email connects that serve to redirect to a smaller set of final landing pages, the attackers then merely need to compromise the DNS of the site, and not the site itself. It permits phishing operators to maximize the unique realms they are able to use by configuring dynamically generated subdomains as prefix to the base domain for each individual email. The creation of unique URLs poses a challenge to mitigation and detection methods that rely solely on exact match for domains and URLs.

The phishing campaign also impersonated( albeit poorly) the Microsoft logo and branding. The impersonation technique utilized solid colors for the logo, which may have been done intentionally to bypass detection of the Microsoft logo’s four distinct colourings. It is important to stress that later iterations of information campaigns have switched to using the four colours in the Microsoft logo.

Screenshot of recent lure used in a BulletProofLink campaign

Figure 10. Phishing lure from a recent credential phishing campaign

These messages also employed a technique called zero-point font, which pads the HTML of the message with characters that render as invisible to the user, to obfuscate the email torso and attempt to evade detection. This technique is increasingly used by phishers to evade detection.

Screenshot of email and HTML code showing zero-point font technique

Figure 11. HTML showing zero-point font date stuffing in an email

We found that the phishing URL in the email contained Base6 4-encoded victim datum along with an attacker-owned site where the user is meant to be redirected. In education campaigns, a single base realm was used for the infinite subdomain technique to initiate the redirects for information campaigns, which leveraged multiple secondary websites over several weeks.

Screenshot of encoded URLs and the decoded URL

Figure 12. The format and an example of the phishing URL, which when deciphered redirects to the compromised site.

The compromised site redirected to a second domain that hosted the phishing page, which mimicked the Outlook sign-in screen and is generated for each user-specific URL. We found that the page is generated for any number of email addresses entered into the URI, and had no checking mechanisms to guarantee that it wasn’t already utilized or was related to a live phishing email.

There can be one or more locatings to which credentials are sent, but the page employed a few obfuscation techniques to obliterate these locations. One attempt to obfuscate the password processing site’s location was by using a function that decodes the location based on calling back to an array of numbers and letters 😛 TAGEND

Screenshot of a function that decodes the location based on calling back to an array of numbers and letters

We reversed this in Python and detected the website that the credentials were being sent to: hxxps :// webpicture [.] cc/ email-list/ finish-unv2 [.] php. The pattern “email-list/ finish-unv2. php” came in one of these changes: finish-unv2 [.] php, finish-unv2 2 [.] php, or finish [.] php. These fluctuations typically used the term “email-list” as well as another file track segment referencing a particular phishing page template, such as OneDrive or SharePoint.

Occasionally, multiple locations were used to send credentials to, including some that could be owned by the purchasing party instead of the operator themselves, which could be called in a separate function. This could be an example of legacy artifacts remaining in final templates, or of double-theft occurring.

Screenshot showing patterns of final site URL

Figure 13. The final site’s format comes in either of these pattern variations

Analyzing these patterns led us to an extensive list of password-capturing URIs detailed in an OSINT Fans blog post about the BulletProofLink phishing service operators. We noticed that they listed patterns similar to the ones we had just observed, enabling us to find the various templates BulletProofLink used, including the phishing email with the sham Microsoft logo discussed earlier.

One of the patterns we noted is that many of the password-processing domains used in the campaigns directly had associated email addresses with “Anthrax”, ” BulletProofLink”, “BulletProftLink” or other words in the certificate registration. The email addresses themselves were not listed identically on every certification, and are also among tied to domains not used exclusively for password-processing, as noted in additional reporting by OSINT Fans.

From then on, we described even more similarities between the landing pages considered to be in the infinite subdomain surge campaign we were tracking and the existing in-depth research on the adversaries behind the BulletProofLink operations.

This process ultimately contributed us to track and expand on the same resources are mentioned in the OSINT Fans research, as we uncovered even more information about the long-running and large-scale phishing service BulletProofLink. Furthermore, we were able to uncover previous and current password-processing sites in use by the operator, as well as large segments of infrastructure hosted on legitimate hosting websites for this operation’s other components.

Double theft” as a PhaaS monetization endeavour

The PhaaS working framework as we’ve described it thus far is reminiscent of the ransomware-as-a-service( RaaS) model, which involves double extortion. The extortion method used in ransomware generally involves attackers exfiltrating and posting data publicly, in addition to encrypting them on compromised devices, to exert pressure on organizations to pay the ransom. This lets attackers gain multiple ways to assure payment, while the liberated data can then be weaponized in future attacks by other operators. In a RaaS scenario, the ransomware operator has no obligation to delete the stolen data even if the ransom is already paid.

We have observed this same workflow in the economy of theft credentials in phishing-as-a-service. With phishing kits, it is trivial for operators to include a secondary location for credentials to be sent to and hope that the purchaser of the phish kit does not alter the code to remove it. This is true for the BulletProofLink phishing kit, and in cases where the attackers use the service received credentials and logs at the end of a week instead of conducting campaigns themselves, the PhaaS operator maintained control of all credentials they resell.

In both ransomware and phishing, the operators supplying resources to facilitate assaults maximize monetization by assuring stolen data, access, and credentials are put to use in as many routes as is practicable. Additionally, victims’ credentials likewise likely to end up in the underground economy.

For a relatively simple service, the return of investment offers a considerable motivation as far as the email threat landscape goes.

How Microsoft Defender for Office 365 protects against PhaaS-driven phishing strikes

Investigating specific email campaigns allows us to ensure protections against particular onslaughts as well as similar attacks that use the same techniques, such as the infinite subdomain abuse, brand impersonation, zero-point font obfuscation, and victim-specific URI used in the campaign discussed in this blog. By studying phishing-as-a-service runnings, we are able to scale and expand the coverage of these protections to multiple campaigns that use the services of these operations.

In the case of BulletProofLink, our intelligence on the unique phishing kits, phishing services, and other components of phishing assaults allows us to ensure protection against the many phishing campaigns this functioning enables. Microsoft Defender for Office 365–which utilizes machine learning, heuristics, and an advance detonation technology to analyze emails, attachments, URLs, and landing pages in real time–recognizes the BulletProofLink phishing kit that serves the false sign-in pages and detects the associated emails and URLs.

In addition, based on our research into BulletProofLink and other PhaaS operations, we to be recognised that numerous phishing kits leveraging the code and behaviors of existing kits, like those sold by BulletProofLink. Any kit that attempts to leverage similar techniques, or sew together code from multiple kits can similarly be identified and remediated before the user receives the email or involves with the content.

With Microsoft 365 Defender, we’re able to further expand that protection, for example, by stymie of phishing websites and other malicious URLs and realms in the browser through Microsoft Defender SmartScreen, as well as the detecting of suspicious and malicious behavior on endpoints. Advanced hunting abilities let customers to search through key metadata fields on mailflow for relevant indicators listed in this blog and other anomalies. Email threat data was related to signals from endpoints and other realms, furnishing even richer intelligence and expanding investigation capabilities.

To build resilience against phishing attempts in general, organizations can use anti-phishing policies to enable mailbox intelligence specifies, as well as configure impersonation protection fixes for specific messages and sender domains. Enabling SafeLinks ensures real-time protection by scanning at day of delivery and at period of click.

In addition to takes advantage of the tools available in Microsoft Defender for Office 365, administrators can further strengthen defenses against the threat of phishing by securing the Azure AD identity infrastructure. We strongly recommend enabling multifactor authentication and blocking sign-in attempts from legacy authentication.

Learn how you can stop credential phishing and other email threats through comprehensive, industry-leading protection with Microsoft Defender for Office 365.

Microsoft 365 Defender Threat Intelligence Team

Indicators of compromise

Password-processing URLs

hxxps :// apidatacss [.] com/ finish-unv2 2 [.] php hxxps://ses-smtp[.]com/email-list/office19999999/finish[.]php hxxps :// ses-smtp [.] com/ email-list/ onedrive2 5/ finish [.] php hxxps:// ses-smtp [.] com/ email-list/ office3 65 nw/ finish [.] php hxxps://smtpro101[.]com/email-list/onedrive25/finish[.]php hxxps :// smtpro1 01 [.] com/ email-list/ office1 9999999/ finish [.] php hxxps://plutosmto[.]com/email-list/office365nw/finish[.]php hxxps :// smtptemp [.]. site/ email-list/ office3 65 nw/ finish [.] php hxxps://trasactionsmtp[.]com/email-list/finish-unv2[.]php hxxps :// smtptemp [.] site/ email-list/ office3 65 nw/ finish-unv2 2 [.] php hxxps://apidatacss:com/finish-unv22[.]php hxxps :// email-list/ otlk5 5/ finish [.] php hxxps://[.]php hxxps :// plutosmto [.] com/ email-list/ kumar/ finish [.] php hxxps://[.]php hxxps :// jupitersmt [.] com/ email-list/ office3 65 nw/ finish [.] php hxxps://plutosmto[.]com/email-list/onedrive25/finish[.]php hxxps :// plutosmto [.] com/ email-list/ sharepointbuisness/ finish [.] php hxxps://ghostsmtp[.]com/email-list/sharepoint/finish[.]php hxxps :// jupitersmt [.] com/ email-list/ otlk/ finish [.] php hxxps://earthsmtp[.]com/email-list/onedrive25/finish[.]php hxxps :// earthsmtp [.] com/ email-list/ office3 65 nw/ finish [.] php hxxps://trasactionsmtp[.]com/email-list/defaultcustomers/johnphilips002021/finish[.]php hxxps :// trasactionsmtp [.] com/ email-list/ office3 65 nw/ finish [.] php hxxps://trasactionsmtp[.]com/email-list/universalmail/finish[.]php hxxps :// trasactionsmtp [.] com/ email-list/ onedrive2 5/ finish [.] php hxxps://moneysmtp[.]com/email-list/office365nw/finish[.]php hxxps :// moneysmtp [.] com/ email-list/ otlk/ finish [.] php hxxps://moneysmtp[.]com/hxxp://moneysmtp[.]com/email-list/office365nw/finish[.]php hxxps :// feesmtp [.] com/ email-list/ office3 65 rd40/ finish [.] php hxxps://feesmtp[.]com/email-list/onedrive25/finish[.]php hxxps :// Failedghostsmtp [.] com/ email-list/ sharepoint/ finish [.] php hxxps://bomohsmtp[.]com/email-list/office365-21/finish[.]php hxxps :// bomohsmtp [.] com/ email-list/ onedrive2 5/ finish [.] php hxxps://foxsmtp[.]com/email-list/onedrive25/finish[.]php hxxps :// dasmtp [.] com/ email-list/ dropboxoffice1/ finish [.] php hxxps://rosmtp[.]com/email-list/onedrive23/finish[.]php hxxps :// ghostsmtp [.] com/ email-list/ adobe2 0/ finish [.] php hxxps://josmtp[.]com/email-list/onedrive23/finish[.]php hxxps :// ghostsmtp [.] com: 443/ email-list/ onedrive2 3/ finish [.] php hxxps://ghostsmtp[.]com/email-list/onedrive23/finish[.]php hxxps :// winsmtp [.] com/ email-list/ excel/ finish [.] php hxxps://linuxsmtp[.]com/email-list/adobe20/finish[.]php?phishing-processor hxxps :// gpxsmtp [.] com/ email-list/ office1/ finish [.] php? phishing-processor hxxps://gpxsmtp[.]com/email-list/onedrive23/finish[.]php?phishing-processor hxxps :// gpxsmtp [.] com/ email-list/ excel5/ finish [.] php hxxps://gpxsmtp[.]com/email-list/adobe3/finish[.]php hxxps :// gpxsmtp [.] com/ email-list/ office1/ finish [.] php hxxps://gpxsmtp[.]com/email-list/onedrive23/finish[.]php hxxps :// panelsmtp [.] com/ email-list/ onedrive-ar/ finish [.] php hxxps://mexsmtp[.]com/email-list/onedrive23/finish[.]php?phishing-processor hxxps :// racksmtp [.] com/ email-list/ domain-au1/ finish [.] php hxxps://racksmtp[.]com/email-list/finish[.]php hxxps :// racksmtp [.] com/ email-list/ sharepoint/ finish [.] php hxxps://mainsmtp[.]com/email-list/onedrive23/finish[.]php hxxps :// prvtsmtp [.] com/ email-list/ onedrive2 3/ finish [.] php? i-am-a-phishing-processor hxxps://prvtsmtp[.]com/email-list/onedrive23/finish[.]php?this-is-a-phishing-processor hxxps :// prvtsmtp [.] com/ email-list/ office1/ finish [.] php hxxps://prvtsmtp[.]com/email-list/onedrive23/finish[.]php hxxps :// apiserverdata1 [.] com/ email-list/ office1/ finish [.] php hxxps://[.]php hxxps :// email-list/ office1/ finish [.] php? this-is-a =p hishing-processor hxxps://valvadi101[.]com/email-list/office1/finish[.]php hxxps :// moneysmtp [.] com/ email-list/ finish-unv2 [.] php hxxps://foxsmtp[.]com/email-list/finish-unv2[.]php hxxps :// bomohsmtp [.] com/ email-list/ finish-unv2 [.] php hxxps://rosmtp[.]com/email-list/finish-unv2[.]php hxxps :// linuxsmtp [.] com/ email-list/ finish-unv2 [.] php? phishing-processor hxxps://voksmtp[.]com/email-list/finish-unv2[.]php?phishing-processor hxxps :// gpxsmtp [.] com/ email-list/ finish-unv2 [.] php? phishing-processor hxxps://gpxsmtp[.]com/email-list/finish-unv2[.]php hxxps :// email-list/ finish-unv2 [.] php hxxps://[.]php hxxps :// Failedsendapidata [.] com/ email-list/ finish-unv2 [.] php hxxps://[.]php?phishing-processor hxxps :// prvtsmtp [.] com/ email-list/ finish-unv2 [.] php hxxps:// hxxps :// apiserverdata1 [.] com/ email-list/ finish-unv2 [.] php hxxps://sendapidata[.]com/email-list/finish-unv2[.]php

Password-processing domains 😛 TAGEND

hxxps :// apidatacss [.] com hxxps://apiserverdata1[.]com hxxps :// baller [.] top hxxps:// hxxps :// f1smtp [.] com hxxps://ghostsmtp[.]com hxxps :// gpxsmtp [.] com hxxps://gurl101[.]services hxxps :// hostprivate [.] us hxxps://josmtp[.]com hxxps :// link1 01 [.] bid hxxps://linuxsmtp[.]com hxxps :// migration1 01 [.] us hxxps://panelsmtp[.]com hxxps :// racksmtp [.] com hxxps://rosmtp[.]com hxxps :// rxasmtp [.] com hxxps://thegreenmy87[.]com hxxps :// vitme [.] bid hxxps://voksmtp[.]com hxxps :// winsmtp [.] com hxxps://trasactionsmtp[.]com hxxps :// moneysmtp [.] com hxxps://foxsmtp[.]com hxxps :// bomohsmtp [.] com hxxps://webpicture[.]cc hxxps :// Faileduebpicture [.] cc hxxps://Failedsendapidata[.]com hxxps :// prvtsmtp [.] com hxxps://sendapidata[.]com hxxps :// hxxps://plutosmto[.]com hxxps :// laptopdata [.] xyz hxxps://jupitersmt[.]com hxxps :// earthsmtp [.] com hxxps://feesmtp[.]com hxxps :// Failedghostsmtp [.] com hxxps://dasmtp[.]com hxxps :// mexsmtp [.] com hxxps://mainsmtp[.]com hxxps :// valvadi1 01 [.] com hxxps://ses-smtp[.]com

The post Catching the big fish: Analyzing a large-scale phishing-as-a-service operation appeared first on Microsoft Security Blog.

Read more: