Why is there so much spam? Everyone will have asked themselves this question in frustration at some point. After all, the majority of email spam is relatively harmless and usually just wastes the email user’s time. However, a small part of the daily personal spam volume is particularly dangerous: phishing emails. Unfortunately, this type of spam is also increasing more and more, not least in the wake of the pandemic-induced wave of digitization in companies and administration. We are regulating more and more things in our everyday life via e-mails and criminals want to take advantage of that too. Microsoft has now uncovered a large-scale phishing campaign that offers interesting insights into why phishing spam is increasing.
Phishing is the term used to describe the sending of emails by criminals that look deceptively similar to legitimate emails from real companies. The emails contain links to similarly, more or less, well-made fakes of the respective company website, which ask the victim to enter their login data – these are then promptly forwarded to the criminals. This gives hackers access to all sorts of online accounts. This access can be used for criminal activities or the access data is sold.
300,000 subdomains in a very short time
In an investigation published Tuesday Microsoft security researchers describe how they targeted a phishing email campaign that quickly set up over 300,000 different subdomains to lure potential victims. The masterminds behind the fraudulent e-mails use more than 100 e-mail templates, some of which reproduce real e-mails from companies and brands in a deceptively real way. Microsoft uncovered a phishing-as-a-service infrastructure that is rented out to other criminals by its criminal operators – for one-time use with a mail campaign or as a monthly subscription model.
The masterminds promote and sell their turnkey phishing service under the names BulletProofLink and Anthrax. According to Microsoft, the service is responsible for many of the phishing campaigns that large companies have been grappling with recently. The operators often win twice: on the one hand, they receive the usage fees of their criminal customers, and on the other hand, they often also get access to the access data that was stolen. Microsoft calls this tactic, in which the victims’ online accounts are plundered twice, “Double Theft”.
Email phishing made easy
In its research, Microsoft describes an entire underground phisher industry. Criminals who want to access access data for the first time without any experience in this area can either use a full-service service such as BulletProofLink, which offers them everything from sending e-mails to setting up deceptively real phishing websites in suitable companies Templates is removed, or you can download simple phishing kits where you only get the mail and website templates and have to do the rest of the work yourself.
The scene has its own marketing terms, such as “FUD”, ie “Fully Undetected Links” (in German: completely undetected links). This is intended to assure buyers of the service that the emails actually pass the victim’s spam filter and that any protective software that may be present does not block the links as malicious and thus prevent a successful phishing attack. The whole thing is reminiscent of large ransomware groups that have similarly professionalized their criminal machinations.
BulletProofLink is advertised on YouTube and the masterminds operate a convenient online store in which interested criminals can book and pay for the spam service quickly and easily. New customers get a 10 percent discount. The service is mostly paid for in Bitcoin and a monthly subscription to full-service phishing spam costs up to $ 800. Individual spam templates hosting a phishing website start at $ 50. Customer support is usually included and takes place via chat messengers, VoIP calls and forums. Help is even possible via ICQ. If Microsoft is to be believed, this support probably works better than most Internet or cell phone providers.
The criminals cannot be stopped
The operators of the phishing infrastructure were targeted by Microsoft because they created hundreds of thousands of subdomains for a legitimate company domain as part of a campaign, which – presumably via a DNS misconfiguration – could at least be partially hijacked by the attackers. The attackers can send each victim a separate link, which makes it difficult for e-mail services such as Microsoft to intercept the spam solely on the basis of a link blacklist. The attackers use a number of tricks such as invisible characters in the text, encoded data and subtle manipulations of company logos and branding elements in order to avoid automated detection.
The operators of BulletProofLink are still in business, so Microsoft obviously did not manage to disrupt or even paralyze the criminals’ infrastructure in the course of its investigation.
The Microsoft report is well worth reading in detail, as it reveals some of the phishing crooks’ tricks in detail. However, it is also frightening to read how easy it is to get into the apparently lucrative phishing business. Phishing-as-a-service platforms such as the BulletProofLink operation described by Microsoft enable even complete newbies without prior knowledge to quickly get into the business of stolen user data. No wonder the phishing spam never ends in our inboxes!