Microsoft discovered a Phishing-as-a-Service (PhaaS) operation that is responsible for quite a few phishing attacks against corporations. The PhaaS model has further lowered the standards to quality phishing attacks. 

What’s up?

The operation is named BulletProofLink (or Anthrax) and its services include selling phish email templates and kits under a monthly subscription or single payment-based business model. Apart from this, the group also offers credential theft, hosting services, and email delivery services. Furthermore, Anthrax claims to offer Fully Undetected (FUD) links. The service was discovered after Microsoft stumbled upon the campaign that used 300,000 newly created and singular subdomains, in a single run. 

Cause of concern

These businesses are a cause of headaches as they provide multiple templates (120, as of now) that mimic the login pages of popular websites. They also enable anyone with money to take the quick road to extortion or theft. The PhaaS business model, moreover, can boost double theft, wherein the service operator steals credentials and sells them to customers.

Infinite subdomain abuse

  • This technique enables the attackers to allocate unique URLs for every phishing recipient by leveraging a single domain that was either bought before the attack or compromised.
  • Infinite subdomain abuse is used when threat actors can infect a website’s DNS. 
  • The tactic has gained immense traction as it reduces the effort required in a phishing campaign while increasing the number of unique domains to be deployed whenever. 
  • In addition to the above, this is another cause of concern as unique URLs pose crucial challenges for detection and mitigation processes that are primarily reliant on exact matching URLs. 

The bottom line

BulletProofLink is conducting active phishing campaigns. This calls for organizations to employ anti-phishing policies, as recommended by Microsoft. Remember that PhaaS is completely capable of becoming the stepping stone of success for every ransomware gang as attackers can use it to deploy ransomware on compromised networks.

Cyware Publisher