BulletProofLink Phishing Platform Seized by Malaysian Police

In Malaysia, authorities have announced the dismantlement of a Phishing-as-a-Service (PaaS) operation known as BulletProofLink. The operation was successfully executed on November 6, 2023, with the collaborative efforts of Australian police and the FBI.

Eight individuals, ranging in age from 29 to 56, including the syndicate’s ringleader, were apprehended in various regions of Malaysia. Alongside these arrests, the authorities seized servers, computers, jewelry, vehicles, and cryptocurrency wallets totaling approximately $213,000.

BulletProofLink offered subscription-based ready-made phishing templates for credential harvesting campaigns. These templates mimicked login pages of prominent services such as American Express, Bank of America, DHL, Microsoft, and Naver. According to Microsoft, which first identified the service, BulletProofLink’s partners also engaged in double theft – stolen credentials were sent to both the developers and their clients, opening additional monetization avenues.

Intel 471 notes that BulletProofLink is linked to a hacker known as AnthraxBP (TheGreenMY, AnthraxLinkers). Believed to have been active since 2015, BulletProofLink’s online store boasts at least 8,138 active clients and 327 phishing page templates as of April 2023.

A distinctive feature of the platform is the use of the Evilginx2 phishing kit to orchestrate Adversary-in-The-Middle (AiTM) attacks, enabling the theft of session cookies and circumventing multi-factor authentication (MFA).

Trend Micro points out that phishers are increasingly employing new methods and more sophisticated approaches to bypass security measures, including intermediary links to documents hosted on file-sharing platforms, containing URLs of the adversary’s infrastructure.