In collaboration with Australia and the U.S., Malaysian police have disrupted a massive phishing-as-a-service (PhaaS) operation called BulletProftLink. This threat actor group has been a supplier of phishing services and stolen login credentials to different tiers of other cybercriminals and presented a growing threat to consumers and companies.
BulletProftLink was the focus of The Phisherman – episode 1 of Intel 471's Cybercrime Exposed podcast – which we published in early October 2023. This phishing service was an important topic for several reasons. First, it was a supplier serving thousands of threat actors and facilitating account takeover (ATO) at scale. Second, it showed glaring operational security (OPSEC) errors that revealed possible real-life identities of threat actors. Third, security researchers at several companies and law enforcement had been tracking it for years as the operation rolled on unimpeded.
That status quo changed Nov. 8, 2023, with an announcement by Royal Malaysian Police. Royal Malaysian Police Inspector General Tan Sri Razarudin Husain said eight people between the ages of 29 and 56 were arrested, including a key 36-year-old male. Police seized servers, computers, jewelry and vehicles. They also confiscated cryptocurrency wallets containing about 1 million Malaysian ringgit (about US $213,000). Australian Federal Police and the U.S. FBI assisted Malaysian police.
BulletProftLink was a long-running and popular service. It offered phishing kits, scam page templates, phishing email templates, hosting and automated services based on single payment or subscription business models. The service appealed to those seeking to buy stolen accounts to perpetrate various types of fraud and attacks. This kind of credential theft and sale – known as initial access brokering – is at the start of much cybercriminal activity.
BulletProftLink is associated with the threat actor AnthraxBP who also went by the online nicknames TheGreenMY and AnthraxLinkers. The actor maintained an active website advertising phishing services. The actor has an extensive underground footprint and operated on a number of clear web underground forums and Telegram channels using multiple handles.
Although Royal Malaysian Police have not released the names of those arrested, the real world identity of AnthraxBP is no secret to cyber threat intelligence professionals. The lack of operational security by AnthraxBP allowed us, as well as other cybersecurity vendors to uncover AnthraxBP's real name, date of birth, residence addresses, family photos on social media sites.
BulletProftLink developers showed operational security lapses as well, posting code related to the phishing operation publicly on GitHub. Also, disgruntled customers compromised operational security as well, posting screenshots that have revealed bitcoin addresses used for payments. AnthraxBP also left invoices sent to customers available on the internet, which could be accessed without authentication. The documentation contains transaction IDs, amounts paid for services and even customer details. One of BulletProftLink's customers was identified as being just 15 years old. Also, BulletProftLink's services were advertised openly on mainstream sites, including tutorials that were posted on YouTube and Vimeo.
BulletProftLink developers showed operational security lapses as well, posting code related to the phishing operation publicly on GitHub. Also, disgruntled customers compromised operational security as well, posting screenshots that have revealed bitcoin addresses used for payments. AnthraxBP also left invoices sent to customers available on the internet, which could be accessed without authentication. The documentation contains transaction IDs, amounts paid for services and even customer details. One of BulletProftLink's customers was identified as being just 15 years old. Also, BulletProftLink's services were advertised openly on mainstream sites, including tutorials that were posted on YouTube and Vimeo.
Phishing Shop: What’s for Sale
Statistics show that the BulletProftLink shop appeared to have more than 8,138 active clients and 327 phishing pages templates as of April 2023.
The phishing templates offered for sale included login pages for Microsoft Office, DHL, the South Korea-based online platform Naver and financial institutions including American Express, Bank of America, Consumer Credit Union and Royal Bank of Canada.
There are several variations of BulletProftLink’s managed phishing service. One is a kind of grab bag. For $2,000 a month, subscribers regularly received batches of credential logs, which are sets of usernames and passwords. At that price point, customers don’t get to pick the organization that is targeted with a phishing campaign. It’s random based on the spamming and phishing campaigns that BulletProftLink runs. There’s another option. Customers can supply their own “leads,” or email addresses to be spammed and phished, but that service costs more. Customers can also just buy the phishing page and do the spam campaigns themselves to save money.
As an example for how this works, let’s say a threat actor customer has purchased a phishing page from BulletProftLink and is doing the phishing themselves. A spammed victim will arrive on a landing page that appears to belong to a legitimate service, such as Office 356 or Dropbox. The victim enters their credentials, and then nothing happens. The landing page takes them to another page where they have to enter their credentials again. At that point, the credentials are collected by a credential processor and then usually emailed to a customer or fed to a web portal for collection by the customer.
BulletProftLink also recently leveled up. It added the Evilginx2 source code to its inventory. Evilginx2 is a proof-of-concept (PoC) security project that is now being used for adversary-in-the-middle (AITM) phishing attacks. It can capture not only login credentials but also session tokens. This type of phishing is particularly dangerous for enterprises, as the capture of session tokens or cookies allows adversaries to bypass multifactor authentication (MFA) prompts. There were also indications that this threat actor group was becoming interested in ransomware.
All of this activity did not go unnoticed over the past five years. Email security vendors saw that some of the phishing lures and landing pages were increasingly being hosted on Google’s Cloud Storage or Microsoft’s Azure Storage. Vendors and organizations including Netskope, Iran’s Computer Emergency Response Team in Farsi and Check Point touched upon this tactic, technique and procedure (TTP). In September 2021, Microsoft wrote in a blog post that it detected that 300,000 subdomains were used in a single phishing run involving BulletProofLink, an alias for BulletProftLink. This marked an extraordinary scale for a phishing campaign. Microsoft pinned BulletProftLink as “responsible for many of the phishing campaigns that impact enterprises today.”
Conclusion
The internet is the new frontier of crime. Cybercrime is proving to be a continuing, costly threat. Low-level actors pose threats to consumers through fraud, credit card theft and scams. Businesses from small to large face risks from professional cybercriminal gangs, whose attacks can pose existential challenges that can impact economies. PhaaS schemes like BulletProftLink provide the fuel for further attacks. Stolen login credentials are one of the primary ways that malicious hackers gain access to organizations. Law enforcement actions like this one conducted by the Royal Malaysian Police should be applauded, as it takes one more cybercrime-as-a-service player out of commission.
