Singapore-based global cybersecurity leader Group-IB has published a new threat report detailing the activities of W3LL, a clandestine threat actor behind numerous business email compromise (BEC) attacks on Microsoft (NASDAQ:MSFT) 365 accounts in Australia, the US and Europe.
The report reveals that W3LL's operations have spanned over six years and included a hidden marketplace, W3LL Store, serving a community of at least 500 threat actors.
The store offered 16 specialised tools, including a phishing kit designed to bypass multi-factor authentication (MFA) for Microsoft 365 accounts.
New Threat Alert???? Group-IB's latest report uncovers a covert #phishing empire led by #W3LL, operating since 2017. This threat actor has remained largely unknown until now. Let's see what's inside -> https://t.co/3irXa9bA4C pic.twitter.com/D4Pw6gFwkj— Group-IB Global (@GroupIB) September 6, 2023
Escalation in activities
Group-IB’s latest report indicates a worrying escalation in W3LL’s activities, especially in the realm of targeted phishing attacks.
Between October 2022 and July 2023, W3LL’s Store amassed an estimated turnover of US$500,000.
The clandestine marketplace listed more than 12,000 items and targeted 56,000 corporate Microsoft 365 accounts globally, including a significant number in Australia.
Among the 56,000 targeted accounts, more than 8,000 of them were ultimately compromised.
These attacks could lead to severe consequences ranging from data breaches to substantial financial losses.
Moreover, sectors like manufacturing, IT, and financial services—cornerstones of the Australian economy—are among the most frequently targeted.
Group-IB investigators identified that W3LL’s phishing tools were used to target over 56,000 corporate Microsoft 365 accounts in the USA, Australia and Europe between October 2022 and July 2023. pic.twitter.com/5l995mXHWh— Group-IB Global (@GroupIB) September 6, 2023
W3LL's threat
W3LL started as a black-market store and soon metamorphosed into a robust BEC ecosystem.
Offering tools that can bypass Multi-Factor Authentication (MFA) and a myriad of other services, the platform has catered to cybercriminals at varying skill levels.
The closed-loop nature of the W3LL Store adds another layer of complexity to this cyber threat.
Entry to this marketplace is by referral only and newcomers have a narrow three-day window to deposit to sustain their membership.
With a strict non-disclosure policy, W3LL has been able to operate relatively undetected until now.
High level of automation and efficiency
Group-IB's unmasking of W3LL serves as a pivotal reminder of the ever-evolving nature of cyber threats.
With W3LL's tailored tools and services offering a high level of automation and efficiency, their methods are sophisticated and can easily go unnoticed until it's too late.
Therefore, Australian corporations need to bolster their cybersecurity protocols and remain continually updated on emerging threats.
Group-IB has conveyed its comprehensive findings about W3LL to relevant law enforcement agencies.
Nevertheless, as cybercriminal operations like W3LL become more intricate, corporations must stay one step ahead to protect their assets and sensitive data.