Phishing Vendor Sells IP Addresses to Duck Anomaly Detection

Cyber Security Threat Summary:
A large-scale phishing-as-a-service operation is shifting tactics to allow attackers to avoid anomaly detection by using localized IP addresses, warns Microsoft. The computing giant discovered the provider in 2021 after detecting a phishing campaign that used more than 300,000 domains and unique subdomains in a single run. BulletProofLink, also referred to as BulletProftLink or Anthrax, sells access to phishing kits, email templates, hosting, and automated series "at a relatively low cost.” BulletProofLink is also in the business of business email compromise, the practice of sending scam messages that appear to come from legitimate sources in the guise of invoices or other requests for financial details. BEC often involves a compromised account of a legitimate business used to contact business associates. The U.S. Secret Service has reported that BEC incidents cost global enterprises more than $43 billion in losses over a five-year span.

Security Officer Comments:
Microsoft's Digital Crime Unit has reported that BulletProofLink now sells IP addresses acquired from residential telecoms. These IP addresses are specifically chosen to match the location of the intended victim, serving as a method to bypass anomaly detection systems that flag suspicious activity based on impossible travel patterns. This tactic, known as IP matching, is named after the heuristic process it employs. For instance, if a user logs into a service from multiple IP addresses associated with different locations within a timeframe shorter than it would take to physically travel between those locations, it suggests a compromised account. Microsoft has observed that threat actors in Asia and an Eastern European nation use this tactic most frequently. The problem of malicious actors reselling IP addresses is expected to worsen. The availability of residential IP addresses that can be linked to specific locations on a large scale provides cybercriminals with the means and opportunity to amass significant quantities of compromised credentials and gain unauthorized access to accounts.

Suggested Correction(s):
Implement multi-factor authentication (MFA) for user accounts. MFA adds an additional layer of security by requiring users to provide multiple forms of identification to verify their identity. This can include something the user knows (like a password), something they have (such as a mobile device or hardware token), or something unique to them (like a fingerprint or facial recognition). Organizations should also regularly educate their users about best practices for account security, such as using strong and unique passwords, being cautious of phishing attempts, and promptly reporting any suspicious activity.

Link(s):
https://www.bankinfosecurity.com/