The U.S. Federal Bureau of Investigation (FBI), in collaboration with the Indonesian National Police, has dismantled the infrastructure associated with a global phishing operation that utilized an off-the-shelf toolkit called W3LL to steal the account credentials of thousands of victims and attempt to defraud more than $20 million.
In parallel, authorities detained a suspected developer identified as GL and seized key domains associated with the phishing scam. “This takedown cuts off a key resource used by cybercriminals to gain unauthorized access to victims’ accounts,” the FBI said in a statement.
W3LL phishing kits allow criminals to mimic legitimate login pages and trick victims into handing over their credentials, allowing the attackers to take control of their accounts. The phishing kit was advertised for about $500.
Phishing kits now allow customers to deploy fake websites that imitate legitimate websites and collect credentials by posing as trusted login portals.
“This wasn’t just phishing, this was a full-service cybercrime platform,” said FBI Atlanta Special Agent in Charge Marlo Graham. “We will continue to utilize all available tools and work with our domestic and international law enforcement partners to protect the public.”
W3LL was first documented in September 2023 by Singapore-based Group-IB, highlighting the use of an underground marketplace called W3LL Store that served approximately 500 threat actors and allowed operators to purchase access to the W3LL panel phishing kit, among other cybercrime tools for business email compromise (BEC) attacks.
The cybersecurity company described W3LL as an all-in-one phishing platform that offers a wide range of services, from custom phishing tools and mailing lists to access to compromised servers. The attackers behind the illegal service have been active since 2017 and are believed to have previously developed mass email spam tools such as PunnySender and W3LL Sender.
According to the FBI, the W3LL store also facilitated the sale of stolen credentials and unauthorized system access, including remote desktop connections. It is estimated that more than 25,000 compromised accounts were sold in stores between 2019 and 2023.
“Primarily focused on Microsoft 365 credentials, W3LL utilizes an adversary-man-in-the-middle (AitM) to hijack session cookies and bypass multi-factor authentication,” Hunt.io said in a report published in March 2024.
And last year, in an analysis of another phishing kit known as Sneaky 2FA, French security firm Sekoia revealed that the tool “reused some of the code” from the W3LL Store phishing syndicate, adding that cracked versions of W3LL have been circulating for the past few years.
“Even after W3LLSTORE was shut down in 2023, its operations continued through encrypted messaging platforms where the tools were rebranded and actively marketed,” the FBI said. “In 2023-2024 alone, phishing kits were used to target more than 17,000 victims around the world.”
“The developers of this tool collected and resold access to compromised accounts, increasing the scope and impact of this scheme.”
Source link
