Microsoft discovered a Phishing-as-a-Service (PhaaS) operation that is responsible for quite a few phishing attacks against corporations. The PhaaS model has further lowered the standards to quality phishing attacks.
The operation is named BulletProofLink (or Anthrax) and its services include selling phish email templates and kits under a monthly subscription or single payment-based business model. Apart from this, the group also offers credential theft, hosting services, and email delivery services. Furthermore, Anthrax claims to offer Fully Undetected (FUD) links. The service was discovered after Microsoft stumbled upon the campaign that used 300,000 newly created and singular subdomains, in a single run.
Cause of concern
These businesses are a cause of headaches as they provide multiple templates (120, as of now) that mimic the login pages of popular websites. They also enable anyone with money to take the quick road to extortion or theft. The PhaaS business model, moreover, can boost double theft, wherein the service operator steals credentials and sells them to customers.
Infinite subdomain abuse
This technique enables the attackers to allocate unique URLs for every phishing recipient by leveraging a single domain that was either bought before the attack or compromised.
The tactic has gained immense traction as it reduces the effort required in a phishing campaign while increasing the number of unique domains to be deployed whenever.
In addition to the above, this is another cause of concern as unique URLs pose crucial challenges for detection and mitigation processes that are primarily reliant on exact matching URLs.
The bottom line
BulletProofLink is conducting active phishing campaigns. This calls for organizations to employ anti-phishing policies, as recommended by Microsoft. Remember that PhaaS is completely capable of becoming the stepping stone of success for every ransomware gang as attackers can use it to deploy ransomware on compromised networks.