W3LL what do you know: covert BEC phishing empire uncovered


A new report details the operations of W3LL, a threat actor behind a sprawling phishing empire that was unknown until now. It’s extensively targeting Microsoft 365.

Group-IB, a cybersecurity company based in Singapore, said in the report that it had been tracking the evolution of W3LL – active since 2017 – and uncovered that it has played a major role in compromising Microsoft 365 business email accounts over the past six years.

The threat actor has also created a hidden underground market, named W3LL Store. It served a closed community of at least 500 threat actors who could purchase a custom phishing kit called W3LL Panel, designed to bypass multi factor authentication (MFA), as well as 16 other fully customized tools for business email compromise (BEC) attacks.

ADVERTISEMENT

Group-IB investigators identified that W3LL’s phishing tools were used to target over 56,000 corporate Microsoft 365 accounts in the United States, Australia, and Europe between October 2022 and July 2023.

According to Group-IB’s estimates, W3LL’s Store’s turnover for the last 10 months may have reached $500,000.

A successful “business”

W3LL’s success could be traced back to 2017, when they created W3LL SMTP Sender, a custom tool for bulk email spam. A phishing kit for targeting Microsoft 365 corporate accounts was then also developed.

“The growing popularity of the convenient toolset prompted the threat actor to venture into opening a covert English-speaking underground marketplace,” Group-IB says.

“Over time, the platform evolved into a fully sufficient BEC ecosystem offering an entire spectrum of phishing services for cybercriminals of all levels, from custom phishing tools to supplementary items such as mailing lists and access to compromised servers.”

W3LL Store even provides “customer support” through a ticketing system and a live webchat. Wannabe hackers who aren’t skilled enough to leverage the tools on offer can watch video tutorials.

At present, the W3LL store has more than 500 active users, Group-IB says. To become a W3LL store customer, newcomers need to be referred by existing members – the threat actor does not want the public – or law enforcement – to know about the underground marketplace.

ADVERTISEMENT

W3LL’s major weapon, W3LL Panel, may be considered one of the most advanced phishing kits in class, featuring adversary-in-the middle functionality, API, source code protection, and other unique capabilities.

According to Group-IB, W3LL Panel does not have a variety of fake pages and it was designed to compromise Microsoft 365 accounts specifically. However, due to its high efficiency, the phishing kit became trusted by a narrow circle of BEC criminals.

W3LL offers a 3-month phishing kit subscription for $500. Subsequent months cost $150 each. Moreover, the criminal entity regularly updates its tools, adding new functionalities, improving anti-detection mechanisms, and creating new ones.

A toolset for all

Researchers say that phishing campaigns involving W3LL tools are “highly persuasive” and provide a high level of automation and scalability.

“After compromising a target, threat actors proceed to the account discovery phase and then may employ one of the following scenarios: data theft, fake invoice scam, account owner impersonation, or malware distribution using the compromised email account,” the report says.

The consequences of a BEC attack for a firm can be dire. It can suffer direct financial losses, data leaks, reputational damage, compensation claims, and even lawsuits.

ib-group-phishing
Identified victims of BEC attacks involving W3LL tools. Courtesy of Group-IB.

According to Group-IB, BEC threat actors using W3LL’s tools targeted at least 56,000 corporate Microsoft 365 business accounts, and more than 8,000 of them were ultimately compromised. The actual impact could be significantly higher, though.

ADVERTISEMENT

“What really makes W3LL Store and its products stand out from other underground markets is the fact that W3LL created not just a marketplace but a complex phishing ecosystem with a fully compatible custom toolset that covers almost entire killchain of BEC and can be used by cybercriminals of all technical skill levels,” says Anton Ushakov, Deputy Head of Group-IB's High-Tech Crime Investigation Department, Europe.

As for Microsoft, experts have recently criticized the corporation’s lack of transparency about breaches, irresponsible security practices, and vulnerabilities. It’s alleged that the company exposes its customers to risks and keeps them in the dark about them.