Breach Blog

Published: 16 Nov 2023

BulletProofLink Takedown: Unveiling the Dark Web's Phishing Underbelly

In a major win against cybercrime, Malaysian law enforcement, in collaboration with the Australian Federal Police and the FBI, successfully dismantled the notorious phishing-as-a-service (PhaaS) operation known as BulletProofLink on November 6, 2023. The operation resulted in the arrest of eight individuals, including the syndicate's mastermind, and the seizure of servers, computers, jewelry, vehicles, and cryptocurrency wallets containing approximately $213,000.

 

Unveiling BulletProofLink's Phishing Empire: A Deep Dive

 

BulletProofLink, also known as BulletProftLink, has been operating since at least 2015, offering ready-to-use phishing templates on a subscription basis. These templates, mimicking the login pages of reputable services such as American Express, Bank of America, DHL, Microsoft, and Naver, were a favorite among cybercriminals conducting credential harvesting campaigns.

 

The phishing-as-a-service model adopted by BulletProofLink allowed threat actors, including AnthraxBP and TheGreenMY, to subscribe to their services, resulting in an estimated 8,138 active clients and 327 phishing page templates as of April 2023.

 

Double Theft Tactics and Advanced Techniques

 

BulletProofLink's actors were known for employing a double theft strategy, sending stolen credentials both to their customers and core developers, creating multiple monetization avenues. Additionally, the integration of the Evilginx2 phishing kit facilitated adversary-in-the-middle (AiTM) attacks, enabling the theft of session cookies and bypassing multi-factor authentication.

 

However, the cyber threat landscape is dynamic, with actors constantly evolving their tactics. Recent developments reveal AiTM attacks are now utilizing intermediary links hosted on file-sharing solutions like DRACOON. This sophisticated approach bypasses traditional email security measures, as the initial link appears legitimate and the victim interacts with the hosted document within the browser.

 

Fueling Further Attacks: The Role of PhaaS

 

The BulletProofLink takedown highlights the critical role PhaaS operations play in cybercrime. Stolen login credentials remain a primary means for malicious hackers to gain unauthorized access to organizations, underscoring the urgency for robust cybersecurity measures.

 

Looking Ahead: The Fight Against Cybercrime Continues

 

While this victory against BulletProofLink is commendable, it serves as a reminder that cyber threats persist and adapt. Law enforcement agencies globally must remain vigilant, and organizations need to bolster their cybersecurity postures to stay one step ahead of evolving cybercriminal tactics.

 

In a landscape where the dark web's underbelly is constantly shifting, collaborative efforts, technological advancements, and heightened cybersecurity awareness are crucial in the ongoing battle against cybercrime. The BulletProofLink takedown marks a significant stride, but the journey to a more secure digital environment continues.