fabioberti.it - stock.adobe.com

Meet the professional BEC op that targeted Microsoft 365 users for years

The so-called W3LL cyber crime operation ran a phishing empire that has played a large role in compromising Microsoft 365 accounts for years. Its activities are now coming to light thanks to Group-IB researchers

Researchers at Singapore-based Group-IB have published a major report exposing the activities of a hitherto little-known cyber criminal operation that ran a “phishing empire” which targeted and compromised thousands of Microsoft 365 business email accounts over a six-year period.

The so-called W3LL operation distributed multiple customised phishing kits through a hidden underground market, W3LL Store, serving an invite-only community of at least 500 threat actors specialising in business email compromise (BEC) attacks.

BEC attacks are scams in which attackers target employees with access to company funds and convince them to transfer money to the attacker, often having been convinced they are making emergency payments to customers or suppliers on behalf of senior executives. They are one of the most prevalent cyber threats in existence, raking in billions of dollars per annum.

Group-IB said W3LL’s tools were used to target more than 56,000 Microsoft 365 accounts around the world, including approximately 3,860 in the UK, between October 2022 and 2023. During the same period, Group-IB said it identified more than 3,800 items sold via W3LL Store in the wild, and at the time of writing, more than 12,000 items are on sale there. W3LL has likely netted at least $500,000 (£400,000) during the 10-month period, although this is probably an underestimation.

The researchers, who have been tracking W3LL for a long time, revealed how W3LL themself (or themselves) began their cyber criminal career in 2017, when they launched W3LL SMTP Sender, a custom bulk email spam tool, before developing and selling a phishing kit to target corporate Microsoft 365 accounts. Success in this area prompted them to open their covert, English-language marketplace in 2018, which has since evolved into a self-sustaining BEC ecosystem offering an “entire spectrum” of services, from the aforementioned phishing tools, to mailing lists and initial access to compromised servers.

“What really makes W3LL Store and its products stand out from other underground markets is the fact W3LL created not just a marketplace, but a complex phishing ecosystem with a fully compatible custom toolset that covers almost the entire kill-chain of BEC, and can be used by cyber criminals of all technical skill levels,” said Anton Ushakov, deputy head of Group-IB’s High-Tech Crime Investigation Department for Europe.

“The growing demand for phishing tools has created a thriving underground market, attracting an increasing number of vendors,” he said. “This competition drives continuous innovation among phishing developers, who seek to enhance the efficiency of their malicious tools through new features and approaches to their criminal operations.”

Read more about BEC

  • Massive growth in the volume of Business Email Compromise or BEC attacks was linked to a surge in successful phishing campaigns, according to data from Secureworks.
  • Cofense Intelligence studied hundreds of business email compromise attacks and found that most scams attempt to establish trust with targeted employees over multiple emails.
  • Three quarters of data breaches now involve a significant human element, and the higher up they get in an organisation, the more risks people seem to take, according to Verizon.

The underground store includes features such as a ticketing system and live webchat, while those that did not have the skills needed to use the tools properly could avail themselves of video tutorials. W3LL also runs a referral bonus scheme paying 10% commission on referrals, and even a channel programme with a 70-30 split on profits made by third-party suppliers who sold their wares on its store.

To access the closed community, new users must be referred by an existing member, at which point they will have three days to make a deposit to W3LL lest their new account be deactivated. W3LL does not advertise the store, and members are bound over to keep their mouths shut about it.

W3LL well well

W3LL’s major weapon and prize project, W3LL Panel, which was specifically designed to compromise Microsoft 365 accounts, “may be considered one of the most advanced phishing kits in [its] class”, said Group-IB, including features such as man-in-the-middle functionality, application programming interface and source code protection.

W3LL Panel is a highly efficient tool, but because of this, its use does seem to be restricted to a narrow circle of trusted criminals. A three-month subscription to W3LL Panel will set you back $500, before rolling onto a monthly $150 payment plan. Each copy of the kit must be enabled through a token-based activation mechanism, which means it can’t be resold, and its source code cannot be stolen.

As of August 2023, Group-IB said the marketplace offered 16 other fully customised tools, all compatible with one another, which collectively comprise a full service BEC setup. These include SMTP senders PunnySender and W3LL Sender, link stager W3LL Redirect, vulnerability scanner OKELO, automated account discovery tool CONTOOL, as well as recon tools. All are available on a licensing basis and fetch from $50 to $350 a month. They are regularly updated to improve functionality.

Phishing campaigns that use W3LL tools are described as “highly persuasive”, and tend to involve multiple products available. If compromised, victims can expect to experience various follow-on cyber attacks, from data theft, fake invoice scams, account owner impersonation, or malware distribution, with all the consequences that those scenarios entail.

The full report contains a list of indicators of compromise and YARA rules that security teams can use to hunt W3LL Panel phishing pages, of which Group-IB said it had observed at least 850.

Read more on Hackers and cybercrime prevention