Reverse Engineering to Identify PhaaS Providers

By Jordan Cortado on October 4, 2024

Introduction

In the 1990s, a group of hackers posed as employees of AOL. They used instant messaging and email to obtain users passwords and hijack their accounts. This is widely considered the first phishing attack in internet history [5]. Phishing is a form of cyberattack where the adversary poses as someone else to lure targets into providing sensitive information (passwords, financial info, etc.) via email [6]. In recent years, phishing has evolved from isolated criminal activities into organized commodified services. This is evident in the emergence of Phishing as a Service (PhaaS), which makes phishing attacks more accessible enabling even non-technical individuals to carry out attacks with minimal effort.

What is PhaaS?

Similar to Software as a Service (SaaS) and Infrastructure as a Service (IaaS), PhaaS is where customers pay (either one-time or subscription based) for fully developed phishing tools. [3, 7, 8] These tools enables the buyer to have access to: 

  • Various phishing templates (emails, websites, etc.)
  • Site hosting
  • Credential Theft and Distribution
  • Database of breached email addresses
  • Real time monitoring
  • Attack Tutorials
  • Customer Support

They offer packages that target attacks at specific companies like Amazon, Apple, Paypal, American Express, and CashApp [3]. The alarming factor in PhaaS is that anyone with limited technical knowledge combined with ill intention is capable of committing a cyber crime with the click of a mouse.

Indicators of a Phishing/PhaaS attack.

It is imperative that proper cybersecurity awareness and training are implemented so that victims can recognize legitimate versus illegitimate emails. [1, 2] Victims should conduct a quick examination on:

  • Email headers – Does it have a reputable domain, location, sender? 
  • Content Body – Does it reflect a sense of urgency? Does it sound too good to be true? Are there spelling errors or off looking logos?
  • URL(s) and/or file(s) – Check if links/URLs contain malicious data through software like VirusTotal [11]. 
  • Impact – Who are the other recipients in the email? What has or will the files/links compromise? 

Identifying PhaaS services

When using forensics to analyze phishing sites , there is much to be gained from viewing the source code. An analysis on a PhaaS provider, Sniper Dz, exposes the HTML code behind their phishing sites that carry a few secrets. It was found that the victim downloading phishing content was through a public proxy server. This means that when the victim clicks a phishing link, it automatically returns a script to configure the public proxy server. From there, the proxy server requests phishing content from the phishing server. This request highlights a behavior of hiding backend server hosting phishing content behind public proxy servers [4]. Tracking malicious code like this comes from reviewing source code of the phishing website, files, or emails. 

Another instance reveals obfuscation in source code. Obfuscation is a common technique in security encryption and cryptography. It is the concept of making information difficult to understand and/or discover. Because of this, it can be considered a double edged sword, because the same technique can be used to conceal malware. This is evident in Sniper Dz’s phishing template page. Reverse engineering of the JavaScript code revealed some common functions that attackers use to obfuscate content like String.fromCharCode and unescape [4]. Attackers use these functions in attempts to hide malicious code.

Similarly, BulletProofLink is another PhaaS provider that offers services like Sniper Dz. When analyzing their email template’s source code, they use another obfuscation technique. In this case, zero-point font. Zero point font is the approach of hiding malicious code in an email with a font size of zero [9]. Applying this technique is an effort to spoof the victim, who will see a normal looking email in their inbox. Not realizing the malware behind the email. In Microsoft’s analysis of BulletProofLink emails, they found zero point font was used to hide compromised sites [8]. Examining the email’s source code will reveal code that implements malware files with, FONT SIZE: 0px, in close proximity.

After investigating a considerable amount of phishing attempts, a great deal of similarities start to unveil. Numerous amounts of phishing emails start to become related based on the infrastructure behind the attacks. Some of the indicators that suggest a PhaaS campaign would be the prevalence in similar strategies, code, email recipients, and domains. In another analysis, Tycoon 2FA, a PhaaS that specializes in Adversary in the Middle phishing kits, had HTTP requests containing the same names, obfuscated code, specific Cascading Style Sheets (.css), usage of WebSocket to exfiltrate, and usage of a custom Cloudflare CAPTCHA alternative [10]. Microsoft’s examination of BulletProofLink also provides an IOC list containing related password processing URLs and domains [8]. Taking a look back at Unit42’s Sniper Dz investigation, the study concluded with an Indication of Compromise (IOC) list; verifying the consistent domains, files, and websites found across discovered phishing emails. In the end, they attributed over 140,000 phishing sites to Sniper Dz [4]. 

Defending against PhaaS

Phishing emails are likely inevitable, so best practice is to know how to approach one when receiving one. [2, 7] Some strategies to avoid incoming phishing attempts includes:

  • Email filtering
    • Adopt email security gateways to detect and quarantine emails before reaching the inbox
  • Password Policies
    • Exercise strong password hygiene and adopt Multi Factor Authentication (MFA)
  • Patch Management
    • Install critical patch updates ASAP.
  • Additional Technical Security Controls
    • Deploy security controls like Domain-based Message Authentication Reporting and Conformance protocol and endpoint protection tools.
  • Cybersecurity Awareness Training
    • Consistently raise awareness on cybersecurity training to maximize the odds they recognize a phishing attack. 

With the combination of strict policies, filtering, and human awareness, phishing compromises can be kept at a minimum.

Conclusion

As technology continues to grow, the tools for attackers continue to grow as well. It is key that we understand the prevalence of phishing and PhaaS. Now that companies like Sniper Dz, BulletProofLink, Tycoon 2FA, and others continue to multiply, it is essential to highlight cybersecurity awareness training. Investigating their attacks, and maintaining a strong security posture will ultimately induce cyber resilience. In an effort to discover and track down PhaaS providers, reverse engineering on phishing endeavors will unravel similarities between them. Recognizing certain patterns among attacks will lead to affiliation with certain PhaaS.

References

[1] Bernal, C. (2022, September 19). The 4 Steps to a Phishing Investigation. Exabeam. https://www.exabeam.com/blog/incident-response/the-4-steps-to-a-phishing-investigation/

[2] Chebac, A. (2023, October 19). What is Phishing-as-a-Service (PhaaS) and How to Protect Against It. Heimdal Security Blog. https://heimdalsecurity.com/blog/what-is-phishing-as-a-service-phaas/#:~:text=Phishing%2Das%2Da%2Dservice%20uses%20a%20software%2Das,necessary%20for%20a%20phishing%20attack.

[3] Ciber 4 All Team. (2024, April 22). Phishing as a service: Kits to steal money and data from companies. Tarlogic Security. https://www.tarlogic.com/blog/phishing-as-a-service/

[4] Farooqi, S., Tong, H., & Starov, A. (2024, September 24). Investigating infrastructure and tactics of phishing-as-a-service platform sniper DZ. Unit 42. https://unit42.paloaltonetworks.com/phishing-platform-sniper-dz-unique-tactics/?web_view=true

[5] Gillin, P. (2021, January 25). The history of phishing. Verizon Enterprise. https://www.verizon.com/business/resources/articles/s/the-history-of-phishing/#:~:text=It’s%20thought%20that%20the%20first,passwords%20and%20hijack%20their%20accounts

[6] History of Phishing. Phishing. (n.d.). https://www.phishing.org/history-of-phishing

[7] Krishnan, A. (2024, March 20). How to defend against phishing as a service and phishing kits. TechTarget Security. https://www.techtarget.com/searchsecurity/tip/How-to-defend-against-phishing-as-a-service-and-phishing-kits

[8] Microsoft Threat Intelligence. (2021, September 21). Catching the big fish: Analyzing a large-scale phishing-as-a-service operation. Microsoft Security Blog. https://www.microsoft.com/en-us/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/

[9] Nathaniel, Y. (2018, June 13). ZeroFont Phishing: Font Manipulation to Pass Microsoft Security. https://www.avanan.com/blog/zerofont-phishing-attack

[10] Sekoia TDR, & Bourgue, Q. (2024, March 25). Tycoon 2FA: an in-depth analysis of the latest version of the AITM phishing kit. Sekoia.io Blog. https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/#h-uncovering-of-tycoon-2fa

[11] Virustotal. (n.d.). https://www.virustotal.com/gui/home/upload

Related Posts