Threat actors have leveraged the Sniper Dz phishing-as-a-service platform to establish more than 140,000 phishing websites for credential theft efforts during the past 12 months, with malicious activity against U.S.-based web users escalating beginning in July, The Hacker News reports.
Malicious websites created with Sniper Dz have been given custom links and obscured by the legitimate proxymesh[.]com server, which has been configured to facilitate automated phishing content loading without direct communications in a bid to prevent detection of the PhaaS platform's backend servers, according to a Palo Alto Networks Unit 42 analysis.
Meanwhile, credentials stolen by the sites could be accessed through an admin panel within the clearnet site.
"Sniper Dz phishing pages exfiltrate victim credentials and track them through a centralized infrastructure. This could be helping Sniper Dz collect victim credentials stolen by phishers who use their PhaaS platform," said Unit 42 researchers. Such findings follow a Cisco Talos report detailing intrusions exploiting backend SMTP infrastructure-linked web pages to enable stealthy phishing email delivery.