How a secret phishing syndicate targets over 8,000 Microsoft 365 accounts
A previously undocumented “phishing empire” has been linked to cyberattacks aimed at compromising Microsoft 365 business email accounts over the past six years.
“The threat actor created a hidden underground marketplace, named W3LL Store, that served a closed community of at least 500 bad actors who could purchase a custom phishing kit called W3LL Panel, designed to bypass MFA, along with 16 others Fully Customized Tools for Business Email Compromise (BEC) Attacks,” Group-IB said in a report shared with The Hacker News.
The phishing infrastructure is estimated to have targeted more than 56,000 enterprise Microsoft 365 accounts and compromised at least 8,000, primarily in the US, UK, Australia, Germany, Canada, France, the Netherlands, Switzerland and Italy between October 2022 and July 2023, earning its operators $500,000 in illicit profits.
Some of the top industries infiltrated using the phishing solution include manufacturing, IT, consulting, financial services, healthcare, and legal services. Group-IB said it identified nearly 850 unique phishing websites attributed to the W3LL panel during the same period.
The Singapore-based cybersecurity company described W3LL as an all-in-one phishing instrument offering a range of services from custom phishing tools to mailing lists and access to compromised servers, highlighting the trend toward increase in phishing as a means. service platforms (PhaaS).
Active since 2017, the threat actor behind the kit has a long history of developing bespoke software for bulk email spam (named PunnySender and W3LL Sender) before focusing on setting up phishing tools to compromise corporate email accounts.
A critical component of W3LL’s malware arsenal is an adversary-in-the-middle (AiTM) phishing kit that can bypass multi-factor authentication (MFA) protections. It is offered for sale for $500 for a three-month subscription, followed by a monthly fee of $150.
The panel, in addition to collecting identification information, integrates anti-bot functionality to evade automated web content scanners and extend the life of their phishing and malware campaigns.
The W3LL Store also offers PhaaS affiliates a 70/30 split on commissions earned through its reseller program and a 10% “referral bonus” to attract other trusted parties into the community. To prevent theft or resale of source code, each copy of the panel is activated via a license-based activation mechanism.
BEC attacks leveraging the W3LL phishing kit involve a preparatory phase to validate email addresses using an auxiliary utility called LOMPAT and deliver phishing messages.
Victims who open the fake link or attachment are monitored via the anti-bot script to filter out unauthorized visitors (who are directed to Wikipedia) and ultimately direct them to the phishing landing page via a redirect chain that uses AiTM tactics to siphon credentials and session. cookies.
Armed with this access, the malicious actor then logs into the target’s Microsoft 365 account without triggering MFA, automates account discovery on the host using a custom tool called CONTOOL and collects emails, telephone numbers and other information.
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Find out why identity is the new endpoint. Reserve your place now.
Some of the notable tactics adopted by the malware author are the use of Hastebin, a file sharing service, to store stolen session cookies, as well as Telegram and email to exfiltrate actor credentials criminals.
This disclosure comes days after Microsoft warned of a proliferation of AiTM techniques deployed through PhaaS Platforms such as EvilGinx, Modlishka, Muraena, EvilProxy and Greatness to allow users to access privileged systems without large-scale re-authentication.
“What really sets W3LL Store and its products apart from other underground marketplaces is the fact that W3LL has created not only a marketplace, but a complex phishing ecosystem with a fully compatible set of custom tools that cover almost the entire spectrum. BEC kill chain and can be used by cybercriminals of all technical skill levels,” said Anton Ushakov of Group-IB.
“The growing demand for phishing tools has created a thriving underground market, attracting a growing number of vendors. This competition drives continued innovation among phishing developers, who seek to improve the effectiveness of their malicious tools with new features and approaches to their criminal operations. “
