Police in Malaysia have disrupted a major phishing-as-a-service (PhaaS) and initial access broker (IAB) operation that supplied thousands of threat actors, according to local reports.
The Royal Malaysia Police made the announcement last week, claiming that intelligence shared by Australia Federal Police and the FBI enabled the arrest of eight individuals including a software developer who designed phishing templates, the Malay Mail reported.
“From our investigations, not only the syndicate has compromised websites those of financial and education institutions, and official government sites in Australia, but they are also involved with the selling of stolen credentials,” explained inspector general, Sri Razarudin Husain.
Active since 2015, BulletProftLink offered both phishing services and stolen login credentials to over 8000 clients, according to Intel471.
Read more on PhaaS: “Greatness” Phishing Tool Exploits Microsoft 365 Credentials
“The service appealed to those seeking to buy stolen accounts to perpetrate various types of fraud and attacks. This kind of credential theft and sale – known as initial access brokering – is at the start of much cybercriminal activity,” it explained in a blog post.
The threat intelligence firm warned that BulletProftLink had recently added the Evilginx2 source code to its inventory, opening the door to adversary-in-the-middle (AITM) phishing attacks.
“It can capture not only login credentials but also session tokens. This type of phishing is particularly dangerous for enterprises, as the capture of session tokens or cookies allows adversaries to bypass multifactor authentication (MFA) prompts,” Intel471 continued.
“There were also indications that this threat actor group was becoming interested in ransomware.”
There are suggestions from police that the group was involved in investment fraud, potentially making over 1.2 million Malaysian ringgit ($250,000) from their scams.
However, BulletProftLink and a threat actor known as AnthraxBP which it is linked to, also made operational security mistakes.
“Although Royal Malaysian Police have not released the names of those arrested, the real-world identity of AnthraxBP is no secret to cyber threat intelligence professionals,” Intel471 added.
“The lack of operational security by AnthraxBP allowed us, as well as other cybersecurity vendors to uncover AnthraxBP’s real name, date of birth, residence addresses, family photos on social media sites.”
Alongside the arrests, police reportedly seized a cryptocurrency wallet valued at 965,808 Malaysian ringgit ($205,140), as well as CPUs, electronic devices, jewelry and vehicles.