“It’s worth noting that some PhaaS groups may offer the whole deal – from template creation, hosting, and overall orchestration, making it an enticing business model for their clientele,” says the Microsoft 365 Defender Threat Intelligence Team. The breadth of services offered is the primary differentiator between kits and the subscription model. “At the time of this report, BulletProofLink continues to operate active phishing campaigns, with large volumes of redirections to their password-processing links from legitimate web hosting providers In the next section, we describe on such campaign,” Microsoft says.

BulletProofLink has been operating since 2018 under various names, including BulletProftLink and Anthrax, and maintains instructional sites on YouTube and Vimeo, Microsoft says.
The gang operates as a legitimate business, offering chat support and even a 10% discount for new customers. “BulletProofLink additionally hosts multiple sites, including an online store where they allow their customers to register, sign in, and advertise their hosted service for monthly subscriptions,” Microsoft says.

BulletProofLink offers clients more than 100 email templates from which to choose that sport well-known logos and brands for social engineering purposes, according to Microsoft. It says “clients” buy the pages, ship the emails and are in charge of collecting the stolen credentials, using either their landing pages or those provided by BulletProofLink. “The templates are designed to evade detection while successfully phishing for credentials, but may vary based on the individual purchasing party,” Microsoft says. “

The PHaaS provider makes sure each campaign has a different appearance but, Microsoft notes, the code, PHP password processing sites and the hosting infrastructure all correlate back to BulletProofLink. BulletProofLink offers a menu of services, all with a corresponding fe , and a monthly service subscription can cost $800, Microsoft says. Other services cost about $50 for a one-time hosting link, it adds.

Microsoft was able to dive deeply into BulletProofLink after it stumbled across a campaign while investigating a phishing attack.

The campaign Microsoft studied was notable, the company says, because it used more than 300,000 subdomains, a key indicator that a BulletProofLink phishing kit was in use. “An interesting aspect of the campaign that drew our attention was its use of a technique we call ‘infinite subdomain abuse,’ which happens when attackers compromise a website’s DNS or when a compromised site is configured with a DNS that allows wildcard subdomains,” Microsoft says.

“‘Infinite subdomains’ allow attackers to use a unique URL for each recipient while only having to purchase or compromise one domain for weeks on end.”

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply