A years-old malicious platform is being used at a vastly accelerated rate by cyber criminals to launch “industrial-scale” email attacks on businesses.
Microsoft publicized the rapid adoption of platforms such as BulletProftLink in a report on Friday, saying the tools are being widely used to carry out highly sophisticated business email compromise (BEC) attacks.
These platforms offer cyber criminals a full-service toolkit for launching BEC attacks, including legitimate-looking email templates, hosting, and automated services for launching attacks.
Microsoft’s report noted the rising adoption of BulletProftLink and its ilk is offering new ways for the underground industry to successfully monetize cyber crime as a service (CaaS).
The company’s Digital Crimes Unit said it has observed a 38% increase in CaaS attacks targeting business email specifically between 2019 and 2020.
How does BulletProftLink work?
There are a number of unique capabilities that make attacks that are being carried out using BulletProftLink’s tools difficult to dissect.
The most notable of these is a trend in attackers evading impossible travel detections.
Many security products have detections for impossible travel that can often identify and neutralize accounts that have been compromised by cyber criminals.
The state of email security 2023
Cyber risk commands the C-Suite's focus
An organization will be aware of the IP addresses used by its office-based workers and those working remotely.
If one worker is known to log in from London regularly, or did log into their account from a London-based IP address one morning, but one hour later logged into the same account from a Hong Kong-based IP address, for example, that would trigger an impossible travel detection.
Security teams would then typically investigate the case knowing a potential cyber attack is taking place.
That worker could not travel between the two cities in that time frame, meaning some malicious activity is likely occurring.
Armed with BulletProftLink, attackers purchase IP addresses from residential IP services that match their target’s location.
After creating residential IP proxies localized to their victim’s location, attackers can then launch attacks, masking their real location and avoiding any impossible travel detections.
“Residential IP addresses mapped to victim locations at scale provide the ability and opportunity for cyber criminals to gather large volumes of compromised credentials and access accounts,” said Microsoft in its Cyber Signals report. “Threat actors are using IP/proxy services that marketers and others may use for research to scale these attacks.
“One IP service provider, for example, has 100 million IP addresses that can be rotated or changed every second.”
BulletProftLink also goes a step further from the go-to phishing as a service platforms many cyber criminals flock to, such as Evil Proxy, Naked Pages, and Caffeine.
All of these platforms offer attackers the capabilities to launch phishing attacks at scale using compromised credentials, but BulletProftLink uses blockchain for its hosting.
This decentralized gateway design, Microsoft said, allows the platform to host phishing and BEC websites in a decentralized way, making it considerably more difficult to disrupt.
Typically, Microsoft and other web security organizations could track and locate the origin of malicious content and take steps to remove the source from the internet.
While each individual phishing link can either be blocked or taken down, tracking down the source on a public blockchain is much more challenging than a typical web2-hosted campaign.
Why is BEC such a threat?
BEC is a type of phishing attack that targets a specific individual, usually a high-ranking worker at an organization with the authority to make large financial transfers
Security awareness training strategies for account takeover protection
Why you need an inside-the-perimeter strategy for internal threats
The aim of the attacks is to convince that high-ranking individual to transfer funds into a seemingly legitimate account that’s actually controlled by the cyber criminals.
Microsoft’s telemetry indicates that there were 35 million BEC attack attempts last year, equating to 156,000 a day.
BEC can also lead to the distribution of malware in the form of email attachments. Such malware, as well as convincing email chains without the use of malware, can lead to sensitive or personally identifiable information (PII) being leaked and later used for follow-up scams or extortion.
“BEC attacks stand apart in the cyber crime industry for their emphasis on social engineering and the art of deception,” Microsoft said.
“Instead of exploiting vulnerabilities in unpatched devices, BEC operators seek to exploit the daily sea of email traffic and other messages to lure victims into providing financial information, or taking a direct action like unknowingly sending funds to money mule accounts, which help criminals perform fraudulent money transfers.”
The prevailing fear is that attacks are not only getting more sophisticated and more frequent, but tools like BulletProftLink are allowing for such attacks to be performed at greater scales, increasing the difficulty involved in detecting and disrupting them.
Microsoft’s recommendations are to maximize email security settings. Flagging all messages from external parties, enabling notifications for unverified senders, and blocking senders with identities that can’t be verified.
Lowering the risk tolerance for impossible travel can also help. It’s not uncommon for workers to take their devices and work from a coffee shop at some point during the day, for example.
Such a trip could be allowed under standard configurations but given the rise in these attacks, it could make sense to restrict movement even further from the main working location.
Enabling strong authentication such as MFA or passwordless passkeys can make compromising email accounts much more difficult for attackers and is seen as a must-have security measure for all sizes of organizations.
Training employees to spot these kinds of attacks can also be beneficial, leading to manual flags that can then be triaged by the IT admin or security team.
