The Royal Malaysian Police announced that they have seized the notorious BulletProftLink phishing-as-a-service (PhaaS) platform, which was a major source of cybercrime and credential theft. Phishing is a type of online fraud where attackers impersonate legitimate entities or individuals to trick victims into revealing sensitive information, such as passwords, bank account details, or credit card numbers.
BulletProftLink was a PhaaS platform that provided cybercriminals with everything they needed to carry out phishing attacks, such as:
- More than 300 phishing templates that mimicked the login pages of various popular websites and services, such as Microsoft Office, DHL, American Express, Bank of America, and many others.
- Hosting services for the phishing pages, some of which were hosted on legitimate cloud platforms like Google Cloud and Microsoft Azure to evade detection by email security tools.
- Customization options for the phishing pages, such as changing the logo, the domain name, the language, or the content.
- Credential harvesting tools that collected and stored the information entered by the victims on the phishing pages.
- Reverse proxying tools that enabled adversary-in-the-middle (AITM) phishing attacks, which could bypass multi-factor authentication (MFA) protections by intercepting and forwarding the communication between the victim and the legitimate website.
BulletProftLink was a lucrative and popular operation among cybercriminals, who paid a subscription fee of $2,000 per month to access regular batches of credential logs. The platform had thousands of subscribers, some of whom used the stolen credentials to gain initial access to corporate systems and launch further attacks, such as ransomware, data theft, or espionage.
The BulletProftLink operation started in 2015, but it became more active and visible since 2018. It was also the subject of several investigations and reports by cybersecurity researchers and experts, who exposed its features, techniques, and operators.
One of the most notable investigations was conducted by Gabor Szathmari, a cybersecurity expert who published a three-part series of open-source intelligence research in 2020, where he revealed the identity and lifestyle of the alleged leader of the operation, a Malaysian national who lived a lavish life with expensive cars, jewelry, and properties.
Another report was published by Microsoft in September 2021, where they warned about the high volume and sophistication of the phishing attacks facilitated by BulletProftLink. They also estimated that the platform had 1,618 subscribers at the time, who had access to 327 phishing page templates.
The BulletProftLink operation was finally dismantled on November 6, 2023, thanks to a joint effort by the Royal Malaysian Police, the Australian Federal Police, and the FBI. The authorities arrested eight individuals, including the suspected leader of the operation, and seized multiple domains, servers, computers, cryptocurrency wallets, jewelry, vehicles, and payment cards.
The seizure of the BulletProftLink platform is a significant blow to the cybercrime ecosystem, as it deprives thousands of cybercriminals of a powerful and easy-to-use tool for phishing attacks. However, it is also a reminder of the constant threat and evolution of phishing campaigns, and the need for users and organizations to be vigilant and protect their online accounts and data.
P.S. – Here’s what their control panel looked like: