Less than a month ago, Microsoft exposed a well-organized operation that provides a one-of-a-kind, DIY phishing-as-a-service (PhaaS) product to malicious actors. This product includes phishing kits, hosting services, and templates to create and develop customized phishing campaigns. This ‘BulletProofLink’ (also referred to as BulletProftLink) operation was first discovered in 2020, yet it continues today.

Microsoft discovered this highly criminal operation during an investigation on phishing campaigns. Malicious actors have hit gold with this product as it makes phishing campaigns lucrative and easy to launch. BulletProofLink has been active since 2018.

The below graph shows phishing activity in 2020. It indicates that phishing sites doubled during the year. It also depicts the rising trend of phishing sites, which is proportional to phishing attempts. This trend is alarming, as phishing attacks become easier to launch and widespread with such dedicated organizations for cybercrime.

phishing definition

(Source: APWG)


What is Phishing-as-a-Service, and Why Should It Be Alarming For Cybersecurity?

Carrying out cyberattacks requires technical expertise and knowledge. Threat actors develop their attack from scratch – coding to hosting to selling the compromised data. The development of a cyberattack is a challenging and laborious one that includes:

  1. Designing the attack: This step would include identifying the targets, deciding on the spoofing and phishing details, and figuring out further possibilities with the compromised data.
  2. Designing the phishing email: This step would include preparing the email along with malicious attachments or links. It would also involve hosting servers.
  3. Designing the spoof website: As phishing would require the victim to reveal information, spoofing would often be used to create a fake website to lure the victim into revealing sensitive information.
  4. Launching the attack and collecting data: The final step would be collecting data and either compromise an organization’s digital assets or sell the data to other malicious actors.

However, PhaaS eliminated the above steps to make life easier for their consumers, i.e., adversaries, opening doors to a world of large-scale disruption.


How Does Phishing-as-a-Service Work?

Phishing-as-a-service (PhaaS) includes a range of products from single toolkits to orchestrated campaigns. Full-fledged campaigns are used for a fully developed PhaaS attack. The recently reported phishing services organization offers PhaaS as a subscription model rather than a one-time payment product.

Malicious actors can quickly launch phishing campaigns when the required tools and assistance are readily available from the PhaaS organization. These tools, designed to escape detection, have higher success rates. Most phishing kits contain at least one evasive phishing technique.

These PhaaS offerings include evasion measures, such as:

  • SSL certificates: Most phishing sites use digital certificates to prove authenticity and go undetected.
  • Content encryption: Content is encrypted, thus making it readable only to people with a decryption key.
  • Content injection: Security vulnerabilities of a legitimate website are exploited to modify its actual content.
  • HTML encoding: HTML encoding prevents security crawlers from detecting the keywords usually found on malicious sites.
  • Inspection blocking: Inspection blocking prevents security systems, bots, analysts, and security crawlers from searching for phishing sites.
  • Cloud hosting: It is a tactic to present phishing sites as legitimate domains by hosting them on reputed cloud services like cloudways.
  • URLs in attachments: It’s a common evasive practice of including URLs in the attachment rather than the email body.

With every successful phishing campaign, more products are sold. The threat actors find suitable targets, design the campaign, and launch the PhaaS model efficiently.


Cyberthreat That Cannot Be Stopped

Microsoft detected and exposed the BulletProofLink PhaaS operation owing to the high activity of the malicious organization. It also reported that it used over 300,000 unique subdomains in a single run. The high number of subdomains enables threat actors to send separate links to each victim, rendering email security services unable to intercept such scams.

Even as Microsoft unearthed this operation, BulletProofLink is unaffected and continues to operate to date. The fact that it is unaffected explains the indestructible and solid criminal infrastructure. Even if one detects their presence and understands how such organizations work, it is difficult to disrupt their activities. On the other hand, it is easy for malicious actors to carry out phishing attacks without any experience through phishing-as-a-service platforms.


What Can Organizations Do to Combat Such Types of Phishing Attacks

Threat actors constantly use phishing emails to steal sensitive information. Businesses are a prime target of theirs. Therefore, enterprises and organizations should incorporate robust anti-phishing solutions and anti-ransomware solutions. Here are some critical points that organizations should consider to avoid falling victim to phishing attacks.

  • Do not revert to emails requesting personal information: Phishing emails generally include subjects that create a sense of urgency. Individuals should never fall for such tricks and respond to such emails, even if it seems authentic. Such prudent practices will help email phishing protection.
  • Avoid clicking on links in suspicious emails: Phishing emails also include URLs that direct the recipient to a page to enter personal or confidential information. These pages are designed to look legitimate and trustworthy. However, the recipient should entirely refrain from clicking on such links for email phishing protection.
  • Protect information assets and networks: Organizations and administrators should use adequate anti-spyware and firewall protection to thwart phishing attacks. They should use anti-malware and heuristics to create multiple security layers.
  • Train employees: Employee training is one of the best phishing protection mechanisms and perhaps the most underrated. Regular employee training and awareness drives help organizations protect their system from within.


Final Words

A study reports that the number of unique phishing sites quadrupled in Q3 of 2020, compared to the previous quarter. With such a high growth rate of phishing sites, proper detection and prevention mechanisms are paramount for email phishing protection. PhaaS has demonstrated that phishing activities today are carried out effortlessly, and hence, the number of organizations falling prey to such attacks will rise. Businesses should educate themselves and their employees about the latest cybersecurity risks lurking in cyberspace and deploy the best email protection practices to mitigate those risks.