Security researchers have uncovered a new covert phishing operation selling sophisticated tools used to target an estimated 56,000 Microsoft 365 accounts in just a 10-month period.
Group-IB revealed the existence of the covert W3LL actor in a new report, W3LL Done: Hidden Phishing Ecosystem Driving BEC Attacks.
It claimed the threat actor has been operating since at least 2017, when it began selling the W3LL SMTP Sender – a custom tool for sending email spam en masse. It later started selling a phishing kit for Microsoft 365 accounts and subsequently opened the W3LL store, a sophisticated members-only underground market.
It’s estimated that the store, with over 500 active users and more than 12,000 items listed for sale, generated $500,000 for the actor in just the last 10 months.
“What really makes W3LL Store and its products stand out from other underground markets is the fact that W3LL created not just a marketplace but a complex phishing ecosystem with a fully compatible custom toolset that covers almost entire kill chain of BEC and can be used by cyber-criminals of all technical skill levels,” said Anton Ushakov, deputy head of Group-IB’s high-tech crime investigation department, Europe.
“The growing demand for phishing tools has created a thriving underground market, attracting an increasing number of vendors. This competition drives continuous innovation among phishing developers, who seek to enhance the efficiency of their malicious tools through new features and approaches to their criminal operations.”
Read more on phishing campaigns: Scam Page Volumes Surge 304% Annually
The W3LL store’s biggest draw is the W3LL panel, one of the most advanced phishing kits around, which is designed to help threat actors bypass multi-factor authentication (MFA) in attacks.
It has been linked to 850 phishing sites over the past 10 months, Group-IB said.
The W3LL actor also sells 16 other fully customized and compatible tools designed to provide a one-stop shop for business email compromise (BEC) phishing threat actors.
These include SMTP senders (PunnySender and W3LL Sender), malicious link stagers (W3LL Redirect), a vulnerability scanner (OKELO), an automated account discovery instrument (CONTOOL), reconnaissance tools and other items. They can apparently be licensed for between $50 and $350 per month.