Microsoft’s security team identifies a Phishing-as-a-Service organization called BulletProofLink, the European Commission will reportedly introduce a proposal for a common charger standard this week, and OnStar is coming to Amazon Echo devices. Please SUBSCRIBE HERE. You can get an ad-free feed of Daily Tech Headlines for $3 a month here.

Catching the big fish: Analyzing a large-scale phishing-as-a-service operation

In researching phishing attacks, we came across a campaign that used a rather high volume of newly created and unique subdomains—over 300,000 in a single run. This investigation led us down a rabbit hole as we unearthed one of the operations that enabled the campaign: a large-scale phishing-as-a-service operation called BulletProofLink, which sells phishing kits, email templates, hosting, and automated services at a relatively low cost.
A phishing-as-a-service (PhaaS) operation, dubbed BulletProofLink and discovered by Microsoft, has been behind a number of phishing campaigns against the private sector. Researchers at the tech giant uncovered the operation after finding a campaign that used more than 300,000 "newly created and unique subdomains" in a single run. The operation sells phishing kits, email templates, hosting and automated services—all at fairly low prices. Microsoft explained that some PhaaS groups offer everything needed for a campaign from soup to nuts—template creation, hosting and overall orchestration. That's a lucrative business model for their "clientele." Those service providers also offer a hosted scam page solution called fully undetected, or FUD, links. That's their own marketing term meant to assure customers that the links are viable until users click them.
