Microsoft exposes BulletProofLink 'phishing as a service' criminal enterprise

The sophisticated outfit handles everything from template design to web hosting and credentials processing

Microsoft has revealed the inner workings of a highly sophisticated phishing as a service (PhaaS) criminal enterprise that hosts and distributes tools and services for use in a customer's phishing campaigns.

BulletProofLink follows the legitimate software as a service (SaaS) business subscription model but engages in the end-to-end development and distribution of tools to run phishing campaigns, according to Microsoft. The services are said to include tools for creating false sign-in pages, web hosting, and credential redistribution.

While standard phishing kits offer email templates and site templates for a one-off payment, PhaaS is a subscription-based model that offers these services as a baseline. Customers can pay for a host of additional services in a modular way, including email delivery, site hosting, credential theft, and services that redistribute those stolen credentials to customers automatically.

BulletProofLink’s clients engage in these services to harvest user credentials, rather than to distribute malware or ransomware strains. The operators also keep a copy of the credentials all customers steal through their campaigns, which they resell at a later stage.

“It’s worth noting that some PhaaS groups may offer the whole deal - from template creation, hosting, and overall orchestration, making it an enticing business model for their clientele,” said the Microsoft 365 Defender threat intelligence team.

“These phishing service providers host the links and pages and attackers who pay for these services simply receive the stolen credentials later on. Unlike in certain ransomware operations, attackers do not gain access to devices directly and instead simply receive untested stolen credentials.”

Microsoft researchers dug deep into the templates, services, and pricing structures offered by BulletProofLink operators, which appear to have been active since 2018. They also maintain multiple sites under several aliases including BulletPoftLink and Anthrax, alongside YouTube and Vimeo pages with instructional adverts, as well as promotional content hosted on external forums.

Screenshot of a welcome message on the BulletProofLinks site

Microsoft 365 Defender Threat Intelligence Team

The operation attempts to mimic the behaviour of legitimate businesses, including registration and sign-in pages and an online store, the latter of which can be used by other hackers to advertise their own services for a monthly subscription fee. The group even boasts of a 10% welcome discount for customers who subscribe to BulletProofLink’s newsletter.

Related Resource

The business guide to ransomware

Everything you need to know to keep your company afloat

The business guide to ransomware - whitepaper from DattoFree download

As a core component of the business, the operators offer more than 100 templates, with clients free to control other elements of the phishing operation themselves or use the full suite of BulletProofLinks services. For example, they might only buy the template and manage the flow of password collection independently by registering their own landing pages, or they can let BulletProofLink handle everything.

The monthly services offered vary in price from $50 dollars to $800 dollars, with most fees paid using Bitcoin. The operators also provide customer support services for all new and existing clients.

Purchase page for a DocuSign template from the BulletProofLinks site

Microsoft 365 Defender Threat Intelligence Team

This operation echoes the ransomware as a service (RaaS) phenomenon, which features many of the same structures and processes of a legitimate software company. This is also true for the way the organisation monetises data, according to Microsoft.

The standard practice with ransomware attacks involves cyber criminals exfiltrating data and threatening to post it publicly while also encrypting devices locally and demanding ransom, as a means of ‘double extortion’

PhaaS operations follow a similar workflow in terms of stolen credentials, with BulletProofLink maintaining a log of all information stolen as part of phishing campaigns. On top of the subscription fees they receive, they resell these credentials to other organisations at a later stage for an additional sum, with victims being exposed twice.

Featured Resources

The challenge of securing the remote working employee

The IT Pro Guide to Sase and successful digital transformation

Free Download

VMware Cloud workload migration tools

Cloud migration types, phases, and strategies

Free download

Practices for maximising the business value of digital infrastructure Consumption-as- a-Service subscriptions

IDC PeerScape

Free Download

Container network security guide for dummies

Enforcing Kubernetes best practices

Free download

Recommended

Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems
phishing

Attackers use CSS to fool anti-phishing systems

11 Nov 2021
X-rated phishing attacks just keep growing
phishing

X-rated phishing attacks just keep growing

4 Jun 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022
Solving cyber security's diversity problem
Careers & training

Solving cyber security's diversity problem

5 Jan 2022