More than 140,000 phishing websites have been discovered connected to a phishing-as-a-service (PhaaS) platform called Sniper Dz within the last year, indicating that it is used by a large number of cyber criminals to steal credentials.
Sniper DZ: how it works
“For potential phishers, Sniper Dz offers an online admin panel with a catalog of phishing pages“, they have stated Palo Alto Networks Unit 42 researchers Shehroze Farooqi, Howard Tong and Alex Starov in a technical report, adding: “Phishers can host these phishing pages on Sniper Dz infrastructure or download Sniper Dz phishing templates to host on their own servers.”
Perhaps what makes it even more profitable is that these services are provided for free; however, credentials collected via phishing sites are also exfiltrated to PhaaS platform operators, a technique Microsoft calls “double theft“.
PhaaS platforms have become a way increasingly common for aspiring cybercriminals to enter the world of cybercrime, allowing even those with little technical expertise to launch large-scale phishing attacks.
Sniper DZ and other kits: where do they come from?
These phishing kits can be purchased on Telegramwith dedicated channels and groups covering every aspect of the attack chain, from hosting services to sending phishing messages.
Sniper Dz is no exception, as the cyber criminals who hold it they operate a Telegram channel with over 7,170 subscribers as of October 1, 2024; the channel was created on May 25, 2020.
Curiously, a day after Unit 42’s report was published, the people behind the channel activated the option to self-elimination to automatically delete all posts after one month; this likely suggests an attempt to cover the tracks of their activities, although previous messages remain intact in the chat history.
The PhaaS platform is accessible on the public network and requires the creation of an account to “get your scam and hacking tools,” according to the website’s homepage.
Videos advertising Sniper DZ
A video uploaded to Vimeo in January 2021 shows that the service offers ready-to-use scam templates for various online sites such as X, Facebook, Instagram, Skype, Yahoo, Netflix, Steam, Snapchat and PayPal, in English, Arabic and French. The video has over 67,000 views to date.
They were identifiedamong other things, video tutorials uploaded to YouTube showing viewers the different steps needed to download models from Sniper Dz and set fake landing pages for PUBG and Free Fire on legitimate platforms like Google Blogger.
However, it is unclear whether they have any connection to the developers of Sniper Dz or whether they are just customers of the service.
Sniper Dz offers the ability to host phishing pages on your infrastructure and provide custom links pointing to those pages and these sites are then hidden behind a legitimate proxy server (proxymesh[.]com) to avoid detection.
“The group behind Sniper Dz sets up this proxy server to automatically load phishing content from their server without direct communication“the researchers said, adding: “This technique can help Sniper Dz protect its backend servers, as the victim’s browser or a security crawler will see the proxy server as responsible for loading the phishing payload.”
The other option for cybercriminals is to download phishing page templates offline as HTML files and host them on their servers.
Sniper Dz offers additional tools to convert phishing templates into Blogger format, which can then be hosted on Blogspot domains.
The aftermath of Sniper DZ
The stolen credentials are finally displayed on an administration panel accessible by accessing the site on the public network; Unit 42 has observed an increase in phishing activity using Sniper Dzprimarily targeting web users in the United States, starting in July 2024.
“Sniper Dz phishing pages exfiltrate victims’ credentials and trace them through a centralized infrastructure“the researchers said. “This could help Sniper Dz collect victim credentials stolen by phishers using their PhaaS platform.”
The development comes as Cisco Talos revealed that attackers are abusing web pages linked to backend SMTP infrastructure, such as account creation pages and others that trigger the sending of an email to the userto bypass anti-spam filters and distribute phishing emails.
These attacks exploit the poor validation and sanitization of inputs present on these web forms to include malicious links and text other campaigns conduct credential stuffing attacks against legitimate organizations’ mail servers to gain access to email accounts and send spam.
“Many websites allow users to register for an account and access specific features or content“, said the researcher by Talos, Jaeson Schultz. “Typically, upon completion of registration, an email is sent to the user to confirm the account.”
At Cisco Talos they also said that: “In this case, spammers have overloaded the name field with text and a link, which unfortunately is not validated or sanitized in any way. The resulting email sent to the victim contains the spammer’s link.”
This also follows the discovery of a new email phishing campaign that exploits a seemingly innocuous Microsoft Excel document to spread a fileless variant of Remcos RAT, exploiting a known security vulnerability (CVE-2017-0199).
“When opening Excel file, OLE objects are used to trigger download and execution of malicious HTA application“, ha stated Trellix researcher Trishaan Kalra. “This HTA application subsequently launches a series of PowerShell commands culminating in the injection of a fileless Remcos RAT into a legitimate Windows process.”
#Sniper #steals #credentials #sites