Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz
Sept. 25, 2024, 9:39 a.m.
Description
Unit42 explores Sniper Dz, a popular phishing-as-a-service (PhaaS) platform targeting social media and online services. Over 140,000 phishing websites associated with Sniper Dz were identified in the past year. The platform offers an admin panel with phishing page catalogs, allowing users to host on Sniper Dz infrastructure or download templates. Surprisingly, services are free, likely because Sniper Dz collects stolen credentials. The platform uses public proxy servers to hide phishing content, obfuscates code, and employs centralized infrastructure for credential exfiltration and victim tracking. Sniper Dz abuses legitimate SaaS platforms, particularly Blogspot, and uses brand names or trends as keywords in hostnames. After credential theft, victims may be redirected to malicious advertisements or potentially unwanted applications.
Date
| Published | Created | Modified |
|---|---|---|
| Sept. 25, 2024, 8:55 a.m. | Sept. 25, 2024, 8:55 a.m. | Sept. 25, 2024, 9:39 a.m. |
Indicators
http://pro.riccardomalisano.com/about/z2to.html
http://pro.riccardomalisano.com/about/z1to.html
http://raviral.com/k_fac.php
http://raviral.com/host_style/style/js-track/track.js
http://proxymesh.com/web/index.php
Attack Patterns
Sniper Dz
Sniper Dz
T1588
T1608
T1185
T1583
T1564
T1102
T1027
T1056
T1566
T1059