Twentytwo13

Malaysian police brings down phishing syndicate Bulletproftlink, 36-year-old Malaysian mastermind detained

Malaysian police, with the assistance of Australian Federal Police and the Federal Bureau of Investigation (FBI), have busted an international phishing service from Malaysia.

Inspector-General of Police, Tan Sri Razarudin Husain, in a press conference at Bukit Aman this afternoon, confirmed that the case and the main suspect, a 36-year-old Sabahan, were linked to Bulletproftlink.

Bulletproftlink’s name first surfaced in October 2020 when OSINT Fans, run by a cybersecurity expert and digital privacy enthusiast, in a three-part series, revealed that the main person behind the operations was one ‘Adrian Katong’ who worked in Sabah. The operation was also referred to as BulletProofLink and Anthrax.

Razarudin said police carried out simultaneous raids on Oct 6 and nabbed eight suspects, between the ages of 29 and 56, from several locations in Sabah, Selangor, Kuala Lumpur, and Perak.

He added that initial investigations showed that the operations started in 2015 but was only active “over the past year”.

However, Bulletproftlink has been on the radar of cybersecurity experts following the OSINT Fans expose. The Ankura Cyber Threat Intelligence Bulletin in October 2021 explored what it described as the uncovering of a massive phishing-as-a-service campaign. It went on to call the campaign as “quite sophisticated”.

According to the bulletin, the operation facilitates the selling of multiple single-payment, or monthly subscription-based services that include email templates, phishing kits, and spoofed malicious webpages, as well as providing hosting and automation services at a reasonably low price.

“Researchers dissected the “Bulletproftlink[.]com/shop” site and identified it to be a web store that sells fully operational downloadable web page clones of very well-known brands, including, but not limited to, Chase Bank, American Express, Adobe, Office 365, myGov (Australian), Yahoo, and Outlook. These pages typically cost a one-time fee of US$100, while hosting services are advertised at US$800 per month”, it read.

The report further added: “After research into the post and the vulnerability itself was completed, it was deemed that Mr Katong and Anthrax, were the same actor. At this point, researchers used RiskIQ to check the historical Domain Name System (DNS) records of the “Bulletproftlink[.]com” site, and found an older record named “adriankatong.bulletproftlink[.]com” resolving to 50[.]116[.]95[.]115[.].

“Further research on Mr Katong yielded a YouTube video that he posted in 2020, and with the signature of the video as ‘Anthrax Likers’ and ‘Love from Milaysia’ (sic). The video was analysed for every minute detail, and researchers were able to determine with high confidence that an actor claiming to be ‘Adrian Katong’ was either the ‘Anthrax Likers’ actor, or was intimately affiliated with them, as well as the Bulletproftlink website store.

“After researchers inspected Mr Katong’s public LinkedIn profile, they identified him as the chief executive officer of a company called ‘BPL Hosting’. The researchers, however, could not find any known legitimate businesses registered under his name, and assumed that ‘BPL’ stands for ‘BulletProftLink’.”

At the press conference, Razarudin added that police investigations and profiling showed a money trail to two investment schemes that did not exist. A total of 37 police reports were lodged in Malaysia with losses amounting to RM1.2 million.

Police are still gathering information on the number of victims based abroad, namely in Australia and the US, their total losses, those who secured the syndicate’s illegal operations, and how much they paid for the services.

“A total of 1,038 usernames and passwords, especially those from .edu and .gov websites, have been accessed illegally,” Razarudin added.