UPDATED 22:24 EDT / SEPTEMBER 22 2021

SECURITY

Microsoft Security details extensive ‘phishing-as-a-service’ operation

Microsoft Corp. Tuesday detailed an extensive phishing-as-a-service operation that provides various services to those wishing to undertake phishing campaigns that fool people into responding to fraudulent emails with personal information.

Called BulletProofLink, the operation sells phishing kits, email templates, hosting and automated services at what’s described as a relatively low cost. The service offers over 100 phishing templates that mimic known brands, including Microsoft, and provides a service that’s nearly effortless to use.

According to Microsoft Security, the operation is responsible for many of the phishing campaigns that impact enterprises today and is used by multiple attack groups in either one-off or monthly subscription-based business models. The campaigns provide a steady revenue stream for its operators.

The price range of BulletProofLink services vary. Although some services, such as a onetime hosting link, cost as little as $50, those seeking the full range of services on a subscription basis pay $800 a month. Customers interact with the group through various methods, including Skype, ICQ, forums and chatrooms. Like a legitimate software business, the group also provides customer support services for new and existing customers.

The hosting service provided by BulletProofLink includes a weekly log shipment to purchasing parties, usually sent via ICQ or email. Credentials are received on a template page, then sent to password-processing sites owned by the operator.

One interesting aspect of the campaign is described as a technique called “infinite domain abuse.” The group compromises a website’s domain name server to create “infinite subdomains” that allow an attacker to use a unique URL for each recipient while only having to purchase or compromise one domain for weeks on end.

“Email phishing and related cybercrime is far more complex than many people give it credit for, as is made obvious by this look into the seedy world of ‘as-a-service’ offerings, such as phishing-as-a-service and ransomware-as-a service,” Erich Kron, security awareness advocate at security training company KnowBe4 Inc., told SiliconANGLE. “These services are generally low-cost and often employ profit-sharing schemes that allow bad actors to get into the cybercrime game at little or no upfront cost.”

Kron added that these vendors often provide tools and information, even training, to help their affiliates improve their success rates and to boost their own profits. “It is critical that organizations take email phishing seriously in order to defend against these complex and well-organized cybercrime gangs,” he said.

Image: BulletProofLink/Microsoft

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU