Microsoft exposes BulletProofLink 'phishing as a service' criminal enterprise

The sophisticated outfit handles everything from template design to web hosting and credentials processing

Microsoft has revealed the inner workings of a highly sophisticated phishing as a service (PhaaS) criminal enterprise that hosts and distributes tools and services for use in a customer's phishing campaigns.

BulletProofLink follows the legitimate software as a service (SaaS) business subscription model but engages in the end-to-end development and distribution of tools to run phishing campaigns, according to Microsoft. The services are said to include tools for creating false sign-in pages, web hosting, and credential redistribution.

While standard phishing kits offer email templates and site templates for a one-off payment, PhaaS is a subscription-based model that offers these services as a baseline. Customers can pay for a host of additional services in a modular way, including email delivery, site hosting, credential theft, and services that redistribute those stolen credentials to customers automatically.

BulletProofLink’s clients engage in these services to harvest user credentials, rather than to distribute malware or ransomware strains. The operators also keep a copy of the credentials all customers steal through their campaigns, which they resell at a later stage.

“It’s worth noting that some PhaaS groups may offer the whole deal - from template creation, hosting, and overall orchestration, making it an enticing business model for their clientele,” said the Microsoft 365 Defender threat intelligence team.

“These phishing service providers host the links and pages and attackers who pay for these services simply receive the stolen credentials later on. Unlike in certain ransomware operations, attackers do not gain access to devices directly and instead simply receive untested stolen credentials.”

Microsoft researchers dug deep into the templates, services, and pricing structures offered by BulletProofLink operators, which appear to have been active since 2018. They also maintain multiple sites under several aliases including BulletPoftLink and Anthrax, alongside YouTube and Vimeo pages with instructional adverts, as well as promotional content hosted on external forums.

Screenshot of a welcome message on the BulletProofLinks site

The operation attempts to mimic the behaviour of legitimate businesses, including registration and sign-in pages and an online store, the latter of which can be used by other hackers to advertise their own services for a monthly subscription fee. The group even boasts of a 10% welcome discount for customers who subscribe to BulletProofLink’s newsletter.

Related Resource

The business guide to ransomware

Everything you need to know to keep your company afloat

The business guide to ransomware - whitepaper from DattoFree download

As a core component of the business, the operators offer more than 100 templates, with clients free to control other elements of the phishing operation themselves or use the full suite of BulletProofLinks services. For example, they might only buy the template and manage the flow of password collection independently by registering their own landing pages, or they can let BulletProofLink handle everything.

The monthly services offered vary in price from $50 dollars to $800 dollars, with most fees paid using Bitcoin. The operators also provide customer support services for all new and existing clients.

Purchase page for a DocuSign template from the BulletProofLinks site

This operation echoes the ransomware as a service (RaaS) phenomenon, which features many of the same structures and processes of a legitimate software company. This is also true for the way the organisation monetises data, according to Microsoft.

The standard practice with ransomware attacks involves cyber criminals exfiltrating data and threatening to post it publicly while also encrypting devices locally and demanding ransom, as a means of ‘double extortion’

PhaaS operations follow a similar workflow in terms of stolen credentials, with BulletProofLink maintaining a log of all information stolen as part of phishing campaigns. On top of the subscription fees they receive, they resell these credentials to other organisations at a later stage for an additional sum, with victims being exposed twice.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

X-rated phishing attacks just keep growing
phishing

X-rated phishing attacks just keep growing

4 Jun 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
Cyber attacks on manufacturing up 300% in a year
Security

Cyber attacks on manufacturing up 300% in a year

11 May 2021

Most Popular

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021