Microsoft security hunts down phishing-as-a-service schemes

Phishing attack kits are around the corner

Free stock photo of adult, antivirus, attack

Phishing and social engineering attacks are already a headache. As the most successful delivery method for injecting malware and ransomware, hackers readily use phishing tactics for their operations. Unfortunately, threat actors are stepping up their game with the use of PaaS, or “phishing as a service” kits.

In cybersecurity, we have observed a spike in accessibility for delivering malware. Ransomware kits and RaaS models are available on the dark web, and are easier to implement. Now, even those with basic knowledge of malware implementation can make use of malware. The same philosophy goes for these PaaS kits and service models.

The phishing campaign

Microsoft’s security team conducted a massive investigation into an alarming phishing campaign. A cyber-attack campaign is typically defined as a group of threat actors going after various targets over a long period, using different hacking techniques (like social engineering).

What caught their attention was the sheer saturation of the phishing attack (300,000 in total) which unveiled a PaaS model.

The “service” is known as BulletProofLink, which works like a “jack of all trades” vendor for social engineering attacks. Essentially, the team discovered the threat party hosted hundreds of different phishing templates. If you’re unfamiliar, phishing emails and social engineering campaigns launch fraudulent emails that mimic trusted brands. For example, you receive an “account alert” from your bank, which may prompt you to click on malicious links and give away personal info.

BPL also goes by “Anthrax” when using promotional material. Like a legitimate service or program you can purchase from a vendor, the “organization” has promotional material and even offers subscriptions for its patrons.

Most of the data was discovered from Microsoft Defender and their security protocols. What it reveals, though, is a troubling future.

Differences between phishing and PaaS

Understanding the traits and characteristics of “phishing services” will better identify its tactics. Doing so improves the chances of defending against them.

Phishing originally required threat actors to build templates for their social engineering schema. Assets involved in these campaigns are media relating to official brands, contacts, and information to compromise trust and deceive recipients. Now, the PaaS economy has expanded these concepts into full-fledged market.

Now, malicious actors can purchase template models, infrastructure, and resources from dark web vendors. It expedites their ability to launch phishing campaigns and rapidly target potential victims. From this economy of threat actors, two separate ventures are present:

Phishing Kits: Individual one-time sales. These are archived documents containing email templates for launching phishing attacks towards a specific business, complete with evasion techniques and obfuscation media. These templates can also be modified as needed.

Phishing as a Service: “As a service” should sound familiar. It’s a common business model for different companies, like SaaS (software as a service). In a malicious context, things like RaaS exist (ransomware as a service).

In this instance, malicious parties pay a vendor a fee (again, like a subscription model), and said vendor prepares phishing resources for them. Templates and media are supplied, along with content to target specific organizations. This streamlines the phishing process, making it easier for threat actors to deliver their attacks and respective payloads.

These phishing services can range from basic template creation to a full range of services, such as credential theft, mimicking official websites, and encrypted links or blogs.

BulletProofLink goes as far to offer discounts to new users:

Screenshot of 10% discount offered to those who will sign up for newsletter
Credit to Microsoft Security.

Emulation of legitimate services

It’s a streamlined operation in the most morbid of ways. Aside from offering a bundled version of phishing services and resources, these phishing techniques are particularly volatile because they emulate legitimate services too.

Screenshot of BulletProofLink website showing DocuSign services
Credit to Microsoft Security.

From the various pages discovered by Microsoft’s security team, links and examples are shown with the type of phishing templates available. Various media showcase “login windows” which appear as legitimate boxes.

Phishing is an already dangerous tool for malicious actors. If PaaS continues to trend, the problem will only worsen.

Share this post: