Sniper Dz Phishing Tools
Over the past year, researchers have identified over 140,000 phishing websites linked to a Phishing-as-a-Service (PhaaS) platform known as Sniper Dz, highlighting its widespread use among cybercriminals for credential theft.
Sniper Dz provides prospective phishers with an online admin panel featuring a range of phishing templates. According to a technical report, users can either utilize Sniper Dz's own hosting services for these pages or download the templates to run on their own servers.
The platform's appeal is further enhanced by the fact that these services are offered for free. However, note that the credentials gathered through these phishing sites are sent back to the operators of the PhaaS platform, a tactic referred to by experts as double theft.
Table of Contents
Cybercriminals Increasingly Rely on PhaaS Platforms
Phishing-as-a-Service (PhaaS) platforms are becoming an increasingly popular entry point for aspiring cybercriminals, enabling individuals with minimal technical skills to launch large-scale phishing attacks. These phishing kits are readily available for purchase on Telegram, where dedicated channels and groups support every aspect of the attack chain, from hosting services to sending out phishing messages.
Sniper Dz is one such platform, operating a Telegram channel that boasts over 7,170 subscribers as of October 1, 2024. This channel has been active since May 25, 2020. Notably, following the cybersecurity experts' report, the administrators of this channel activated an auto-delete feature that removes posts after one month. This move likely indicates an effort to erase traces of their activities, although earlier messages remain accessible in the chat history. The PhaaS platform is available on the clearnet and its users must to create an account to access its 'tactics and hack tools.'
Video Tutorials for the Phishing Tools
A video uploaded to Vimeo in January 2021 demonstrates that the service provides ready-to-use tactic templates for a variety of online platforms, including X, Facebook, Instagram, Skype, Yahoo, Netflix, Steam, Snapchat, and PayPal, available in English, Arabic and French. This video has garnered over 67,000 views to date.
Additionally, researchers have found tutorial videos on YouTube that guide viewers through the steps needed to download templates from Sniper Dz and create fake landing pages for games like PUBG and Free Fire using legitimate platforms such as Google Blogger. However, it remains unclear whether these tutorial creators are affiliated with the developers of Sniper Dz or are simply users of the service.
How the Sniper Dz Phishing Tools Operate
Sniper Dz offers the capability to host phishing pages on its own infrastructure, providing customized links that direct users to these pages. To evade detection, these sites are concealed behind a legitimate proxy server (proxymesh.com), configured by the Sniper Dz group to automatically load phishing content from its own server without direct communication.
This method helps protect Sniper Dz's backend servers, as the victim's browser or a security crawler perceives the proxy server as responsible for delivering the phishing payload. Alternatively, cybercriminals can download phishing page templates as HTML files for offline use and host them on their own servers. Sniper Dz also provides additional tools to convert these templates into the Blogger format, enabling them to be hosted on Blogspot domains.
Harvested credentials are ultimately displayed on an admin panel accessible by logging into the clearnet site. Experts have noted a spike in phishing activity utilizing Sniper Dz, particularly targeting Web users in the U.S., which began in July 2024.
The phishing pages associated with Sniper Dz are designed to exfiltrate victim credentials and track them through a centralized infrastructure, likely assisting Sniper Dz in gathering credentials stolen by phishers who utilize their PhaaS platform.