Threats Tagged 'phishing-as-a-service'

BlueKit operates as a mature commercial Phishing-as-a-Service platform offering 87 ready-made phishing kits targeting banks, cloud services, cryptocurrency exchanges, and global brands. The platform features subscription-based access, automated account takeover capabilities, peer-to-peer infrastructure for stealth, and integrated anti-detection tooling. BlueKit supports credential harvesting, session hijacking, and automated post-compromise workflows including password resets and passkey enrollment. The platform includes bulk SMS phishing capabilities, Telegram notifications, hardware wallet seed phrase harvesting, and integration with anti-detect browsers. Operating through Tor and clearnet domains with cryptocurrency payments, BlueKit employs a reseller model enabling white-label redistribution. The platform significantly lowers technical barriers for cybercriminals while providing enterprise-grade phishing infrastructure, posing critical threats to financial institutions, cloud environments, and cryptoc...

An investigation into phishing activity targeting users across the Middle East and North Africa uncovered SniperDz, a centralized Push-Notification-as-a-Service and Phishing-as-a-Service platform. The operation uses fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations to promote fake offers including free mobile internet packages and financial compensation. Victims are redirected through trusted link-aggregation services like Linktree and Linkbio to evade detection. SniperDz provides 80 phishing templates mimicking over 30 global brands across financial services, social media, streaming, and gaming platforms. The infrastructure employs browser notification abuse, history manipulation creating a back-button prison, premium SMS subscriptions, premium-rate calls, investment scams, and affiliate marketing for monetization. Analysis revealed over 900 suspicious domains linked to shared hosting infrastructure and a recurring VAPID public key connecting multiple campai...

MediumCampaignAlgeria#sniperdz#phishing-as-a-service#browser hijacking

An advanced voicemail-themed phishing campaign is utilizing HTML attachments to hijack Microsoft 365 sessions through silent OAuth exploitation. Emails arrive spoofing legitimate businesses with fake voicemail notifications containing embedded HTML files. When victims click the play button, the kit triggers a rogue OAuth 2.0 request using the prompt=none parameter to steal authentication tokens from active M365 sessions. If no active session exists, victims are redirected to credential harvesters hosted on compromised infrastructure, specifically a Turkish domain hosting over 100 active campaign directories. The operation includes multiple attack vectors: fake login portals mimicking DocuSign, Outlook and Google, OAuth device code phishing interfaces, and RMM deployment disguised as document viewers. This represents a sophisticated Phishing-as-a-Service operation deploying concurrent attack types from consolidated infrastructure.

A sophisticated smishing and phishing operation active since the second half of 2025 has impersonated over 267 brands across 72 countries, with particular concentration in Latin America. The campaign generated 4,389 phishing domain instances, with Mexico accounting for 1,851 cases. Telecommunications is the most targeted sector with 1,754 instances, followed by financial services and consumer rewards programs. The operation employs fake Cloudflare error pages as decoys, revealing malicious content only to victims matching specific geofencing and mobile device criteria. Data exfiltration occurs through encrypted WebSocket channels using binary encoded payloads. Approximately 30% of infrastructure is hosted on Tencent Cloud and Alibaba US servers, fronted by Cloudflare to mask hosting IPs. The attack chain progresses from SMS lures through progressive credential harvesting, ultimately capturing complete credit card details including CVV codes.

MediumCampaignAustraliaChileColombia+3#brand impersonation#credit card theft#smishing

A significant expansion of the Kali365 phishing-as-a-service operation has been observed, now targeting multiple platforms beyond Microsoft 365. The operator abuses OAuth 2.0 device authorization flows to bypass MFA and steal authentication tokens. Key discoveries include a live command-and-control panel infrastructure, a phishing campaign impersonating MAX Messenger (Russia's state-backed messaging platform with 110 million users) through fake prize-claim flows, and a cluster of 126 malicious hosts impersonating services including Microsoft Outlook, Okta SSO, Xerox DocuShare, Mail.ru, Yandex Disk, and Odnoklassniki. The operation demonstrates a deliberate focus on Russian consumer platforms alongside Western enterprise targets, utilizing Telegram bots for credential exfiltration and employing a multi-tenant phishing platform distributed through Telegram channels.

Researchers uncovered a massive fraud ecosystem targeting the 2026 FIFA World Cup, identifying over 4,300 fraudulent domains impersonating FIFA's official website since August 2025. At the center operates GHOST STADIUM, a Chinese-speaking threat actor running a sophisticated phishing campaign across 300+ domains using a pixel-perfect clone of FIFA's authentication system. The operation harvests credentials, sells fake tickets, and processes payments through five distinct channels including cryptocurrency. Estimated losses from premium ticket fraud alone range from $71 million to $474 million, with total campaign losses potentially reaching billions. Six distinct fraud schemes operate in parallel: credential phishing, fake ticket sales, counterfeit merchandise, fake streaming platforms, fraudulent betting sites, and infostealer-driven credential theft. Over 2,513 FIFA account credentials are already circulating on dark-web markets. The campaign exploits Facebook advertising as its primary distribution chann...

MediumMalwareUnited StatesArgentinaBrazil+3#ticket fraud#cryptocurrency fraud#ghost stadium