Business Email Compromise (BEC) , Fraud Management & Cybercrime

Phishing Vendor Sells IP Addresses to Duck Anomaly Detection

BulletProofLink Found a Way to Thwart Impossible Travel Detection
Phishing Vendor Sells IP Addresses to Duck Anomaly Detection
Image: Shutterstock

A large-scale phishing-as-a-service operation is shifting tactics to allow attackers to avoid anomaly detection by using localized IP addresses, warns Microsoft.

See Also: CISO Guide to Generative AI Attacks

The computing giant discovered the provider in 2021 after detecting a phishing campaign that used more than 300,000 domains and unique subdomains in a single run. BulletProofLink, also referred to as BulletProftLink or Anthrax, sells access to phishing kits, email templates, hosting, and automated series "at a relatively low cost" (see: Microsoft Analyzes Phishing-as-a-Service Operation).

BulletProofLink is also in the business of business email compromise, the practice of sending scam messages that appear to come from legitimate sources in the guise of invoices or other requests for financial details. BEC often involves a compromised account of a legitimate business used to contact business associates.

The U.S. Secret Service has reported that BEC incidents cost global enterprises more than $43 billion in losses over a five-year span (see: US Secret Service Versus Business Email Compromise).

Microsoft's Digital Crime Unit says BulletProofLink now sells attackers IP addresses bought from residential telecoms that match the location of the intended victim. The IP matching is a tactic to overcome "impossible travel" anomaly detection used to indicate a compromise. The method gets its name from the heuristic process it suggests - if a user logs on to a service from different IP addresses matched to different locations in less than the time it would take to physically arrive there, the account may be compromised.

"Microsoft has observed threat actors in Asia and an Eastern European nation most frequently deploying this tactic," the company says.

Bad actors reselling IP addresses is a problem that is poised to get worse, Microsoft also warns. "Residential IP addresses mapped to locations at scale provide the ability and opportunity for cybercriminals to gather large volumes of compromised credentials and access accounts."

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.