November 12, 2023 at 03:56AM
The Royal Malaysian Police have announced the seizure of the BulletProftLink phishing-as-a-service platform, which provided more than 300 phishing templates. The operation started in 2015 but became more active since 2018, with thousands of subscribers. The platform offered tools and resources for carrying out phishing attacks, including customizable templates and credential harvesting. Eight individuals were arrested, and assets such as cryptocurrency wallets, servers, and computers were seized. BulletProftLink had over 8,000 active subscribers, offering a 403% rise in customers since Microsoft’s report in 2021. The platform provided login pages for various institutions, including Microsoft Office and American Express, and utilized cloud services to evade security tools.
Key Takeaways from Meeting Notes:
1. The Royal Malaysian Police announced the seizure of the BulletProftLink phishing-as-a-service (PhaaS) platform that offered over 300 phishing templates.
2. The operation began in 2015 but gained more visibility and activity since 2018, attracting thousands of subscribers, some of whom paid for access to credential logs.
3. PhaaS platforms provide cybercriminals with resources and tools for carrying out phishing attacks, including pre-made kits and templates, page hosting, customization options, credential harvesting, and reverse proxying tools.
4. The BulletProftLink operation had been previously documented, with a cybersecurity expert linking the operator to a Malaysian national living a luxurious lifestyle.
5. In September 2021, Microsoft warned about the platform’s facilitation of high-volume phishing attacks and the large number of available templates. The service also collected stolen credentials from phishing attacks.
6. With assistance from the Australian Federal Police and the FBI, the Malaysian police dismantled the operation, arrested eight individuals (including the presumed leader), and seized assets such as cryptocurrency wallets, servers, computers, jewelry, vehicles, and payment cards.
7. The confiscated servers will allow law enforcement to identify platform users who paid a $2,000/month subscription fee for regular credential logs.
8. According to Intel471, as of April 2023, BulletProftLink had 8,138 active subscribers with access to 327 phishing page templates, reflecting a 403% increase since Microsoft’s report in 2021. The platform was highly popular in the cybercrime community.
9. The phishing resources offered by BulletProftLink included login pages for Microsoft Office, DHL, Naver (a South Korea-based online platform), as well as major financial institutions like American Express, Bank of America, Consumer Credit Union, and Royal Bank of Canada.
10. Some of the phishing pages were hosted on legitimate cloud services like Google Cloud and Microsoft Azure to evade email security tools.
11. BulletProftLink’s inventory included the Evilginx2 reverse-proxying tool, enabling adversary-in-the-middle phishing attacks that can bypass multi-factor authentication.
12. The operation provided professional cybercriminals with credentials to gain initial access to corporate systems, allowing them to conduct reconnaissance and move laterally to valuable hosts.