Cybercrime , Fraud Management & Cybercrime

View to a Phish: W3LL Specializes in Microsoft 365 Hacking

Phishing Platform Automates Big Business Email Compromise Attacks, Researchers Find
View to a Phish: W3LL Specializes in Microsoft 365 Hacking
Image: Shutterstock

Online scammers have been using a phishing toolkit to exploit at least 8,000 endpoints since the middle of last year to perpetrate costly business email compromise schemes.

So warns a new report from cybersecurity firm Group-IB, which says the attacks trace to a toolkit called W3LL Panel that promises to automate every aspect of a business email compromise attack and includes the ability to bypass multifactor authentication. It has more than 500 active users.

Group-IB said it has found at least 850 unique phishing sites being used to support W3LL-launched attacks against at least 56,000 corporate Microsoft 365 corporate accounts since Oct. 2022, leading to at least 8,000 of those accounts being compromised. The report includes indicators of compromise, YARA rules defenders can use to identity known signs of W3LL-powered attacks, and mitigation guidance.

Less prone to generating headlines than noisy ransomware attacks, BEC attacks in aggregate actually lead to greater known losses. In 2022, reported losses due to BEC scams totaled $2.7 billion, making them second in total online fraud losses only to investment scams at $3.3 billion, reported the FBI's Internet Crime Complaint Center, aka IC3. Total reported BEC losses have continued to increase year on year, rising from $2.4 billion in 2021 and $1.9 billion in 2020, IC3 reported.

A single successful BEC attack might lead to millions of dollars in losses for a victim. Experts say that has led to a shift to more sophisticated BEC attacks, increasingly perpetrated by organized crime rings (see: US DOJ Indicts 6 for $6M Business Email Compromise Scam).

Platforms Automate Attack Chain

Moving beyond stand-alone phishing-as-a-service toolkits, platforms such as W3LL Panel that offer not just tools but managed services are a hot commodity because they help automate every part needed to execute an entire attack - aka the "kill chain." This includes compromising targets, identifying accounts, and selecting and then using the email account to execute one of various types of attack scenarios. They include "data theft, fake invoice scam, account owner impersonation or malware distribution," says the report, authored by Group-IB's Anton Ushakov, deputy head of its High-Tech Crime Investigation Department in Europe, and Martijn van den Berk, a threat intelligence analyst.

For all-in-one options, users have multiple tool choices. "Caffeine and DEV-1101 are other phishing-as-a-service platforms also designed to steal Microsoft 365 credentials that share some common functionality with W3LL Panel," Ushakov told Information Security Media Group. Such open-source phishing toolkits as evilginx2 and Modlishka also offer adversary-in-the-middle functionality that allows users to steal session cookies and evade MFA, but "their level of sophistication and capabilities are less advanced compared to W3LL Panel," he said.

More advanced scammers use W3LL Panel to conduct reconnaissance and build their own target list, or else they purchase such information from their favorite log markets, which sell stolen credentials typically amassed via information-stealing malware, the report says.

For users who don't have the skills or inclination, there are about 12,000 items for sale via the W3LL community's shop, designed to help with running phishing campaigns, including compromised web services - including via web shells and cPanel access - as well as SMTP servers that can be used to send large volumes of phishing emails, lists of credentials - aka logs - and more. The store appears to have sold at least $500,000 worth of goods since last October, the report says.

"What really makes W3LL Store and its products stand out from other underground markets is the fact that W3LL created not just a marketplace but a complex phishing ecosystem with a fully compatible custom toolset that covers almost entire kill chain of BEC and can be used by cybercriminals of all technical skill levels," Ushakov said.

Range of Features

The report details a number of additional offerings and strategies employed by W3LL:

  • Community: W3LL is available via a closed, underground market called W3LL Store, which features customer support services, including trouble-ticketing systems and live webchat and is backed by an English-language online community.
  • Referrals: While W3LL doesn't advertise - word-of-mouth referral is the only way to join - its active user base now numbers over 500. The small size perhaps reflects what's required to maintain "effectiveness and support" for the kit, and perhaps also to stay under the radar for as long as possible."
  • Subscription: The W3LL Panel phishing kit is sold via subscription - $350 for the first three months, followed by $150 per month - and is designed specifically to abuse Microsoft 365 email accounts.
  • Add-ons: Up to 16 tools - including SMTP and SMS senders, a malicious link stager for generating phishing URLs, and reconnaissance tools to gather targets - can be added for $50 to $350 each per month.
  • Anti-copy: Every copy of the phishing kit software is tied to a unique activation code to help prevent piracy.
  • Updates: Tools get frequent updates to help them stay tough to detect.
  • Training: Video tutorials are available to guide less technically sophisticated users.
  • Geographies: While the tool can be used against any target, it is most often used to target victims in the U.S., the U.K. Australia and parts of the EU - especially Germany, France, Italy, Switzerland and the Netherlands.
  • Sectors: The most-targeted sectors have been manufacturing, IT, financial services, consulting, healthcare and legal services.

Group-IB said it is shared all findings with law enforcement.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.