IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft exposes BulletProofLink 'phishing as a service' criminal enterprise

The sophisticated outfit handles everything from template design to web hosting and credentials processing

Microsoft has revealed the inner workings of a highly sophisticated phishing as a service (PhaaS) criminal enterprise that hosts and distributes tools and services for use in a customer's phishing campaigns.

BulletProofLink follows the legitimate software as a service (SaaS) business subscription model but engages in the end-to-end development and distribution of tools to run phishing campaigns, according to Microsoft. The services are said to include tools for creating false sign-in pages, web hosting, and credential redistribution.

While standard phishing kits offer email templates and site templates for a one-off payment, PhaaS is a subscription-based model that offers these services as a baseline. Customers can pay for a host of additional services in a modular way, including email delivery, site hosting, credential theft, and services that redistribute those stolen credentials to customers automatically.

BulletProofLink’s clients engage in these services to harvest user credentials, rather than to distribute malware or ransomware strains. The operators also keep a copy of the credentials all customers steal through their campaigns, which they resell at a later stage.

“It’s worth noting that some PhaaS groups may offer the whole deal - from template creation, hosting, and overall orchestration, making it an enticing business model for their clientele,” said the Microsoft 365 Defender threat intelligence team.

“These phishing service providers host the links and pages and attackers who pay for these services simply receive the stolen credentials later on. Unlike in certain ransomware operations, attackers do not gain access to devices directly and instead simply receive untested stolen credentials.”

Microsoft researchers dug deep into the templates, services, and pricing structures offered by BulletProofLink operators, which appear to have been active since 2018. They also maintain multiple sites under several aliases including BulletPoftLink and Anthrax, alongside YouTube and Vimeo pages with instructional adverts, as well as promotional content hosted on external forums.

Screenshot of a welcome message on the BulletProofLinks site

Microsoft 365 Defender Threat Intelligence Team

The operation attempts to mimic the behaviour of legitimate businesses, including registration and sign-in pages and an online store, the latter of which can be used by other hackers to advertise their own services for a monthly subscription fee. The group even boasts of a 10% welcome discount for customers who subscribe to BulletProofLink’s newsletter.

Related Resource

The business guide to ransomware

Everything you need to know to keep your company afloat

The business guide to ransomware - whitepaper from DattoFree download

As a core component of the business, the operators offer more than 100 templates, with clients free to control other elements of the phishing operation themselves or use the full suite of BulletProofLinks services. For example, they might only buy the template and manage the flow of password collection independently by registering their own landing pages, or they can let BulletProofLink handle everything.

The monthly services offered vary in price from $50 dollars to $800 dollars, with most fees paid using Bitcoin. The operators also provide customer support services for all new and existing clients.

Purchase page for a DocuSign template from the BulletProofLinks site

Microsoft 365 Defender Threat Intelligence Team

This operation echoes the ransomware as a service (RaaS) phenomenon, which features many of the same structures and processes of a legitimate software company. This is also true for the way the organisation monetises data, according to Microsoft.

The standard practice with ransomware attacks involves cyber criminals exfiltrating data and threatening to post it publicly while also encrypting devices locally and demanding ransom, as a means of ‘double extortion’

PhaaS operations follow a similar workflow in terms of stolen credentials, with BulletProofLink maintaining a log of all information stolen as part of phishing campaigns. On top of the subscription fees they receive, they resell these credentials to other organisations at a later stage for an additional sum, with victims being exposed twice.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems
phishing

Attackers use CSS to fool anti-phishing systems

11 Nov 2021
X-rated phishing attacks just keep growing
phishing

X-rated phishing attacks just keep growing

4 Jun 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022