In the past year, over 140,000 phishing websites have been traced to a phishing-as-a-service (PhaaS) platform known as Sniper Dz, signaling its widespread use by cybercriminals for credential theft.
“Sniper Dz provides potential phishers with an online admin panel, offering a wide array of phishing pages,” detailed researchers Shehroze Farooqi, Howard Tong, and Alex Starov from Palo Alto Networks Unit 42 in a technical report.
Phishers have the option to either host these phishing pages using Sniper Dz’s infrastructure or download the phishing templates to use on their own servers.
One of the reasons this platform is so attractive to cybercriminals is its zero-cost services. However, it’s worth noting that while these phishing sites steal credentials, the data is also exfiltrated back to the PhaaS platform’s operators—an approach that Microsoft dubs double theft.
PhaaS platforms are increasingly offering a gateway for novice threat actors to step into cybercrime, enabling even those with minimal technical know-how to launch widespread phishing attacks.
Such phishing kits can be easily procured on Telegram, where specialized channels and groups cater to every phase of the attack process, from hosting services to distributing phishing messages.
Sniper Dz is a prime example of this trend. As of October 1, 2024, the group behind it manages a Telegram channel with over 7,170 subscribers, launched on May 25, 2020.
Curiously, a day after the Unit 42 report was published, the channel administrators activated an auto-delete feature, purging all posts after one month. This could be an effort to erase their trail, though earlier posts remain visible in the chat logs.
The PhaaS platform is openly accessible on the clearnet, requiring users to sign up for an account to “get your scams and hack tools,” according to its website.
A video uploaded to Vimeo in January 2021 showcases the platform’s offering of ready-to-use scam templates for various popular websites such as X, Facebook, Instagram, Skype, Yahoo, Netflix, Steam, Snapchat, and PayPal. The templates are available in English, Arabic, and French, and the video has garnered over 67,000 views to date.
Additionally, The Hacker News has unearthed tutorial videos on YouTube that walk users through the process of downloading Sniper Dz templates and setting up phishing landing pages for popular games like PUBG and Free Fire, using legitimate platforms such as Google Blogger.
It remains unclear whether these video creators are directly affiliated with Sniper Dz or if they are simply customers of the service.
Sniper Dz enables phishing pages to be hosted on its own infrastructure, generating unique links for each page. These pages are concealed behind a legitimate proxy server (proxymesh[.]com) to avoid detection.
“The Sniper Dz group configures this proxy server to load phishing content from its backend servers covertly, without direct communication,” the researchers explained.
“This strategy helps shield Sniper Dz’s backend infrastructure, as the victim’s browser or a security crawler will only detect the proxy server, not the phishing payload source.”
Cybercriminals can also download phishing templates in HTML format and host them on their own servers. Moreover, Sniper Dz offers tools to convert these templates into a Blogger format, allowing them to be hosted on Blogspot domains.
The stolen credentials are ultimately displayed on an admin panel that users can access by logging into the clearnet site. Unit 42 reported a surge in phishing activity utilizing Sniper Dz templates, predominantly targeting U.S.-based web users, starting in July 2024.
“Sniper Dz phishing pages exfiltrate victims’ credentials, tracking them through centralized infrastructure,” the researchers noted. “This centralized system could be helping Sniper Dz aggregate credentials stolen by various phishers using its PhaaS platform.”
This development coincides with Cisco Talos’ revelation that attackers are exploiting web pages tied to backend SMTP infrastructure, such as account creation forms, to bypass spam filters and disseminate phishing emails.
These exploits capitalize on weak input validation and sanitization processes, injecting malicious links and text into such forms. Additionally, some campaigns use credential stuffing attacks against legitimate mail servers to gain access to email accounts and distribute spam.
“Many sites allow users to register and log in for specific features or content,” said Talos researcher Jaeson Schultz. “Upon successful registration, a confirmation email is typically sent to the user.”
“In these attacks, spammers overload the name field with text and a link, which is unfortunately not validated. As a result, the email sent back to the user includes the spammer’s link.”
This surge in phishing activity coincides with the discovery of a new email phishing campaign that uses seemingly benign Microsoft Excel files to deliver a fileless variant of Remcos RAT by exploiting a known security vulnerability (CVE-2017-0199).
“Once the Excel file is opened, OLE objects trigger the download and execution of a malicious HTA application,” explained Trellix researcher Trishaan Kalra. “This application then runs a series of PowerShell commands, culminating in the injection of a fileless Remcos RAT into a legitimate Windows process.”