Phishing Vendor Sells IP Addresses to Duck Anomaly DetectionBulletProofLink Found a Way to Thwart Impossible Travel Detection
A large-scale phishing-as-a-service operation is shifting tactics to allow attackers to avoid anomaly detection by using localized IP addresses, warns Microsoft.
The computing giant discovered the provider in 2021 after detecting a phishing campaign that used more than 300,000 domains and unique subdomains in a single run. BulletProofLink, also referred to as BulletProftLink or Anthrax, sells access to phishing kits, email templates, hosting, and automated series "at a relatively low cost" (see: Microsoft Analyzes Phishing-as-a-Service Operation).
BulletProofLink is also in the business of business email compromise, the practice of sending scam messages that appear to come from legitimate sources in the guise of invoices or other requests for financial details. BEC often involves a compromised account of a legitimate business used to contact business associates.
The U.S. Secret Service has reported that BEC incidents cost global enterprises more than $43 billion in losses over a five-year span (see: US Secret Service Versus Business Email Compromise).
Microsoft's Digital Crime Unit says BulletProofLink now sells attackers IP addresses bought from residential telecoms that match the location of the intended victim. The IP matching is a tactic to overcome "impossible travel" anomaly detection used to indicate a compromise. The method gets its name from the heuristic process it suggests - if a user logs on to a service from different IP addresses matched to different locations in less than the time it would take to physically arrive there, the account may be compromised.
"Microsoft has observed threat actors in Asia and an Eastern European nation most frequently deploying this tactic," the company says.
Bad actors reselling IP addresses is a problem that is poised to get worse, Microsoft also warns. "Residential IP addresses mapped to locations at scale provide the ability and opportunity for cybercriminals to gather large volumes of compromised credentials and access accounts."