Microsoft has uncovered a large phishing-as-a-service (PhaaS) operation that spans over 300,000 spawned domains and offers more than 100 phishing kits, as well as many other illicit products.
When a user falls prey to a phishing email, he’s redirected to a website that looks much like the real one. Victims believe they are in the right place and willingly input personal information such as passwords, credit card details, and even passport copies. Spammers and other criminals sending phishing emails don’t build these websites or host them — they buy such services from PhaaS operations.
Microsoft was investigating a recent surge of phishing attacks and discovered a large operation named BulletProofLink that sells everything related to this cybercrime, including phishing kits, email templates, hosting and automated services.
“With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today,” said Microsoft.
“BulletProofLink (also referred to as BulletProftLink or Anthrax by its operators in various websites, ads, and other promotional materials) is used by multiple attacker groups in either one-off or monthly subscription-based business models, creating a steady revenue stream for its operators,” the company also explained.
In their investigation, the researchers discovered that criminals constantly update the website and services. The operators used YouTube and Vimeo pages with instructional advertisements and promotional materials, and communicated with their clients via Skype, ICQ and other channels.
The criminals don’t stop at offering phishing kits. For sums of up to $800, they also provide the infrastructure to host these illicit websites. BulletProofLink is just one of many similar services, but it’s one of the larger ones. Microsoft also published the indicators of compromise for multiple domains.