Unit42 explores Sniper Dz, a popular phishing-as-a-service (PhaaS) platform targeting social media and online services. Over 140,000 phishing websites associated with Sniper Dz were identified in the past year. The platform offers an admin panel with phishing page catalogs, allowing users to host on Sniper Dz infrastructure or download templates. Surprisingly, services are free, likely because Sniper Dz collects stolen credentials. The platform uses public proxy servers to hide phishing content, obfuscates code, and employs centralized infrastructure for credential exfiltration and victim tracking. Sniper Dz abuses legitimate SaaS platforms, particularly Blogspot, and uses brand names or trends as keywords in hostnames. After credential theft, victims may be redirected to malicious advertisements or potentially unwanted applications. Author: AlienVault
Related Tags:
phaas
Sniper Dz
T1588
Credential Theft
T1185
T1608
T1564
T1583
T1102
Associated Indicators:
http://raviral.com/k_fac.php
http://pro.riccardomalisano.com/about/z1to.html
http://raviral.com/host_style/style/js-track/track.js
http://pro.riccardomalisano.com/about/z2to.html
http://proxymesh.com/web/index.php