Gratis Sniper Dz Phishing Instruments Spur 140,000+ Cyber Intrusions Targeting User Logins
Over 140,000 deceitful websites have been uncovered connected to a phishing-as-a-service (PhaaS) system known as Sniper Dz during the preceding year, showing that numerous cybercriminals are leveraging it to execute user credentials theft operations.
In a technical report, Palo Alto Networks Unit 42 investigators Shehroze Farooqi, Howard Tong, and Alex Starov commented that “Sniper Dz offers a web admin dashboard for potential phishers with a collection of phishing pages.”
“These phishers have the choice of either uploading these deceitful pages on Sniper Dz-controlled infrastructure or obtaining Sniper Dz phishing templates to host on their personal servers.”
What adds to its attractiveness is the fact that these services are accessible free of charge. However, the credentials nabbed through the phishing websites are also transmitted to the managers of the PhaaS system, a method referred to as dual theft by Microsoft.
PhaaS platforms have emerged as an increasingly prevalent pathway for potential threat actors to venture into cybercrime, enabling even those with minimal technical know-how to conduct phishing attacks on a large scale.
Such phishing kits can be acquired from Telegram, with dedicated channels and groups catering to every stage of the attack process, from hosting services to disseminating phishing messages.
Sniper Dz follows suit as the threat actors manage a Telegram channel boasting over 7,170 subscribers as of October 1, 2024. The channel’s inception date is May 25, 2020.
Curiously, a day after the Unit 42 report went public, the individuals behind the channel switched on the autodelete feature to automatically eliminate all posts after one month. This move indicates an effort to conceal evidence of their undertakings, although earlier communications remain intact in the chat history.
The PhaaS platform is reachable on the clearnet and necessitates creating an account to “get your scams and hack tools,” as stated on the website’s landing page.
A video uploaded to Vimeo in January 2021 illustrates that the service proffers readily usable scam blueprints for various online platforms like X, Facebook, Instagram, Skype, Yahoo, Netflix, Steam, Snapchat, and PayPal in English, Arabic, and French languages. The video has garnered over 67,000 views so far.
The Hacker News has also pinpointed instructional videos on YouTube guiding viewers through the requisite steps to procure templates from Sniper Dz and set up counterfeit landing pages for PUBG and Free Fire on legitimate platforms such as Google Blogger.
Nonetheless, it remains uncertain whether they are affiliated with the developers of Sniper Dz or merely consumers of the service.
Sniper Dz provides the option to host phishing pages on its dedicated infrastructure and furnish custom links directing to those pages. These websites are then veiled behind a bona fide proxy server (proxymesh[.]com) to avoid detection.
“The group orchestrating Sniper Dz configures this proxy server to autonomously load phishing content from its own server without direct interactions,” remarked the researchers.
“This strategy can aid Sniper Dz in safeguarding its backend servers, as the victim’s browser or a security crawler will perceive the proxy server as the source responsible for loading the phishing payload.”
Alternatively, cybercriminals can obtain phishing page templates offline as HTML documents and host them on their individual servers. Additionally, Sniper Dz extends supplementary tools to transform phishing templates into the Blogger configuration, which can then be hosted on Blogspot domains.
The stolen credentials are ultimately exhibited on an admin dashboard accessible by logging into the clearnet platform. Unit 42 noted a spike in phishing endeavors leveraging Sniper Dz, predominantly aimed at web users in the U.S., commencing in July 2024.
“Sniper Dz phishing pages purloin victim credentials and trace them through a centralized framework,” reiterated the investigators. “This could potentially aid Sniper Dz in amassing victim credentials filched by phishers utilizing their PhaaS solution.”
This development coincides with Cisco Talos unveiling that malefactors are exploiting web pages tied to backend SMTP infrastructure, such as account registration forms and others triggering an email response to the user, to bypass spam filters and propagate phishing emails.
“Numerous websites enable users to enroll for an account and log in to access specific functionalities or content,” stated Talos researcher Jaeson Schultz in a statement. “Typically, upon successful user registration, an email is dispatched back to the user for account verification.”
“In this scenario, spammers have overloaded the name section with text and a link, which regrettably goes unchecked and unsanitized. Consequently, the email sent back to the victim contains the spammer’s link.”
These incidents follow the uncovering of a fresh email phishing offensive leveraging an innocuous Microsoft Excel document to spread a fileless variation of Remcos RAT via the exploitation of a documented security flaw (CVE-2017-0199).
“Upon opening the [Excel] file, OLE objects are employed to activate the download and execution of a malevolent HTA application,” explained Trellix researcher Trishaan Kalra per sources. “This HTA application subsequently triggers a series of PowerShell instructions culminating in the injection of a fileless Remcos RAT into a legitimate Windows process.”
About Author
