The infamous BulletProftLink phishing-as-a-service (PhaaS) platform that supplied greater than 300 phishing templates has been seized, the Royal Malaysian Police introduced.
The operation began in 2015 however got here to researchers’ radar later and have become extra energetic since 2018 and had 1000’s of subscribers, a few of them paying for entry to batches of credential logs.
PhaaS platforms present cybercriminals with instruments and assets to hold out phishing assaults by way of “ready-to-use” kits and templates, web page internet hosting, customization choices, credential harvesting, and reverse proxying instruments.
The BulletProftLink operation has been documented earlier than. In 2020, a cybersecurity skilled Gabor Szathmari detailed in a three-part sequence of open-source intelligence analysis [1, 2, 3] how he linked with excessive confidence the operator of the service to a Malaysian nationwide residing a lifetime of luxurious.
A Microsoft report in September 2021 warned concerning the excessive quantity of phishing assaults it may facilitate and the massive variety of templates obtainable to consumers. The service additionally collected all credentials its subscribers (1,618 on the time) stole in phishing assaults.
BulletProftLink busted
Aided by the Australian Federal Police and the FBI the Malaysian police managed to dismantle the operation and take down a number of domains it utilized by the unlawful store.
The police arrested eight people on November 6, one in every of them a self-taught man believed to be the chief of the operation. Authorities additionally seized cryptocurrency wallets holding about $213,000, servers, computer systems, jewellery, automobiles, and cost playing cards.
With servers confiscated, legislation enforcement can study them to establish customers of the platform, a few of them paying a $2,000/month subscription price to entry common batches of credentials logs.
Cybercrime intelligence firm Intel471says that as of April 2023, BulletProftLink had 8,138 energetic subscribers with entry to 327 phishing web page templates.
This can be a 403% rise in clients since Microsoft’s report in 2021, reflecting the platform’s large reputation within the cybercrime group.
Intel 471 says that phishing assets BulletProftLink supplied earlier than it was taken down “included login pages for Microsoft Workplace, DHL, the South Korea-based on-line platform Naver and monetary establishments together with American Categorical, Financial institution of America, Shopper Credit score Union and Royal Financial institution of Canada.”
A few of these phishing pages have been hosted on authentic cloud companies like Google Cloud and Microsoft Azure to evade electronic mail safety instruments.
BulletProftLink’s stock additionally additionally supplied the Evilginx2 reverse-proxying software that allows adversary-in-the-middle (AITM) phishing assaults, which may bypass multi-factor authentication protections.
The operation was an essential supply of credentials for skilled cybercriminals to achieve preliminary entry to company programs. With a foothold within the firm community, attackers can begin the reconnaissance stage and transferring laterally to helpful hosts.
