Over the past year, more than 140,000 phishing websites have been identified as being linked to the phishing-as-a-service (PhaaS) platform named Sniper Dz, indicating a high level of usage by cybercriminals to carry out credential theft.
According to researchers at Palo Alto Networks Unit 42, Sniper Dz provides an online admin panel with a variety of phishing pages for aspiring phishers to choose from. These pages can be hosted on Sniper Dz infrastructure or downloaded as templates to be hosted on personal servers.
These services are offered for free, making them more appealing to cybercriminals. However, the credentials obtained from the phishing sites are also sent to the operators of Sniper Dz, a tactic referred to as “double theft” by Microsoft.
PhaaS platforms like Sniper Dz have become a popular entry point for novice threat actors to engage in cybercrime, allowing even those with limited technical skills to execute large-scale phishing attacks.
These phishing kits can be purchased from channels on Telegram, where various aspects of the attack process are catered to, from hosting services to sending phishing messages.
Sniper Dz operators maintain a Telegram channel with over 7,170 subscribers as of October 1, 2024, created on May 25, 2020. In response to a report by Unit 42, the channel admins activated the auto-delete feature for posts, likely to conceal their activities while older messages remain in the chat history.
The PhaaS platform, accessible on the clearnet, requires users to sign up for an account to access scam and hack tools, as stated on the platform’s homepage.
Video demonstrations uploaded to Vimeo showcase the availability of scam templates in multiple languages such as English, Arabic, and French for popular online platforms like Facebook, Instagram, and PayPal. These videos have garnered thousands of views.
On YouTube, tutorial videos guide viewers through downloading templates from Sniper Dz and setting up fake landing pages on legitimate platforms like Google Blogger for games such as PUBG and Free Fire.
Notably, it is unclear whether these individuals are affiliated with Sniper Dz developers or simply customers of the service.
Sniper Dz offers the option to host phishing pages on its infrastructure and provide customized links to those pages, hidden behind a legitimate proxy server to evade detection.
Stolen credentials are displayed on an admin panel accessible on the clearnet. A surge in phishing activities utilizing Sniper Dz has been observed, particularly targeting U.S. web users since July 2024.
Cisco Talos recently uncovered attackers exploiting backend SMTP infrastructure to distribute phishing emails by abusing web pages, triggering email responses back to users with malicious links included.
This tactic leverages poor input validation on web forms, enabling inclusion of malicious content. Another attack method involves credential stuffing against legitimate mail servers to gain access to email accounts for spam distribution.
A new phishing campaign using a Microsoft Excel document to propagate a fileless variant of Remcos RAT has also been identified. This exploit targets a known security flaw (CVE-2017-0199) to inject malware into legitimate Windows processes.
