A new report uncovers the scope and sophistication found in just one cybercrime vendor’s business that has aided credential harvesting and impersonation attacks for the last 6 years.
Normally when we talk about a Cybercrime-as-a-Service malware, toolset, or platform being behind a string of attacks, we rarely know anything more than the malicious tools that were used. But new information from cybersecurity vendor Group-IB about cybercrime innovator W3LL provides some key insights that may shed light on how other groups are operating.
Group-IB’s report W3LL Done: Uncovering Hidden Phishing Ecosystem Driving BEC Attacks provides details about W3LL’s phishing tool ecosystem, private club of threat actors, customizable tools, and where W3LL partners have carried out attacks are all spelled out. The findings on this report provides insight into how these cybercrime businesses function.
According to Group-IB, W3LL has created malicious tools since 2017. Today, W3LL has over 500 active customers and uses both reseller and referral programs to entice continued growth through word of mouth.
Ever since W3LL created a phishing kit specifically to target Microsoft 365 accounts, Group-IB has attributed them as being a major contributor to attacks on Microsoft 365. They are now offering over 12,000 items on their “W3LL Store” to the dark web.
And while the cumulative 56,000 compromised Microsoft 365 accounts are the sum total of attacks by a disparate set of threat actors and criminal groups, it’s the common use of W3LL’s toolsets that have empowered these malicious campaigns to succeed.
As your organization looks to improve its cybersecurity stance, consider that “vendors” like W3LL will only multiply and continue to improve their products. This makes it more difficult for users to identify a malicious email from a legitimate one – something that demands the continual use of security awareness training to counteract.