image of breaking badness
Breaking Badness
Breaking Badness

166. I’m W3LL Aware of BEC Attacks

Coming up this week on Breaking Badness: W3LL, W3LL, W3LL, Riders on the Storm-0558, and Gold, Guidance, and Grievances.

Here are a few highlights from each article we discussed:


  • Group- IB published a new threat report on the hidden phishing ecosystem driving BEC attacks
  • W3LL has been largely unknown up until now
    • This might meet a pretty high bar for some kind of index that weighs lateness of discovery against magnitude of operations. Meaning, it would be less momentous to discover a relatively small operation that goes way back in time, or a big operation that’s fairly recent
    • But big AND old makes this pretty interesting. Of course, bits and pieces of it have been noticed over time, but it took this report from Group-IB (which is a bit of a complicated story of its own, but that’s another episode) to pull it all together
    • The report describes it as a phishing “empire” that has played a major role in compromising Microsoft 365 business email accounts since 2017. It’s a very extensive operation, with an underground market with a pretty mature phish kit and a lot of other tools that do some sophisticated things like MFA bypass and more
  • It was noted that W3LL provided “customer support” to cybercriminals who don’t have the skills to leverage the tools they offered
    • One of the hallmarks of the underground cybercrime economy over at least the last 10 years but probably a lot longer, is that it truly mirrors the above board economy in a lot of ways, and customer support is one of those ways
    • Remember how there was this realization a few decades ago about how some of the most fundamental things a young person needs in terms of friendship, purpose, sense of belonging and achievement, etc, were all being provided in one way or another by gangs, and that this was important to understanding how gangs worked?
      • It’s kind of the same deal. If you’ve got cloudy prospects in the world, and there are on one side a lot of rules and structures that can get in your way, and on the other side a welcoming community with a relatively low bar to entry—that can get a lot of folks started down the path of cybercrime
      • And part of how the path to ill-gotten gains is paved is with structures that make it easy for the participants to succeed, and in these kinds of models, the more the lower-level participants succeed, the more the operators do too. So they’ve got:
  • Support with a ticketing system and webchat
  • Tutorial videos
  • A referral bonus system
  • A reseller program (this is maybe the first instance of this in the underground that I’ve seen)
  • There are currently more than 500 active users of the W3LL store – how does one go about becoming a W3LL store user?
    • They’ve taken some measures to both vet their customers and to help keep things quiet—which is why it’s taken a while for this thing to be uncovered
    • Any prospective customers have to be referred by existing members. Those new users (not clear whether there’s additional vetting beyond the referrals themselves) have 3 days to make a deposit to their balance, otherwise their account will be deactivated
    • The operator doesn’t advertise the W3LL store and asks their customers not to talk about it online. As Group-IB puts it, the first rule of W3LL club is…
  • W3LL’s product, called W3LL Panel, is something that Group-IB identifies as one of the most advanced phishing kits in class, featuring adversary-in-the-middle (which we recently talked about on the pod), but what else makes it so advanced?
    • It’s very comprehensive and well-designed. They have tools—complete with branding—for every stage of the operation, end to end
    • The Group-IB report has a flow chart that explains it really well, so that’s worth a look. But basically, after compromising a target, the phishers proceed to the account discovery phase and then have some options like data theft, fake invoice scam, account owner impersonation, or further malware distribution using the compromised email account
    • Being able to bypass multifactor authentication is one of the features of this that caught my eye, since we all know that MFA is one of the cornerstones of security best practices
  • What do we know about victimology of those using W3LL toolkits?
    • According to this report, they’ve targeted at least 56,000 corporate Microsoft 365 business accounts and they say that more than 8,000 of them were ultimately compromised
    • Obviously as one would expect, the actual number of victims could be, and probably is, significantly higher
    • The tools don’t really specify a particular demographic, but most of the identified targets are organizations in the US, Australia, the UK and other countries in Western Europe (Germany, France, Italy, Switzerland, Netherlands)
    • Their favorite verticals seem to be manufacturing, IT, financial services, consulting, healthcare, and legal services
  • What improvements is Microsoft making in the wake of these findings?
    • There are no silver bullets – a lot of the general blocking and tackling you’d expect
    • The indicators are backend things W3LL is using, so unless you have someone in your organization using these kits, there’s not a ton you can do
    • There are YARA rules to discover phishing panels
    • Implement FIDO v2 – that will tend to harden it a bit
    • Lock down your access policies 
    • There is no one silver bullet – so you need to all the things you’re already doing, just a little bit better, unfortunately, which is not frustrating advice at all
    • Now that this has been blown open, we expect there will be better hunting targets – we’ll get better at detecting and preventing this, but it’s not an easy one right now

Riders on the Storm-0558

  • The technical analysis into the investigation of the Microsoft account consumer signing key has concluded and as part of transparency, Microsoft is sharing their findings
  • We actually talked about Storm-0558 a few weeks ago in episode 162
    • July 11 is when Microsoft first posted about a China-based threat actor used an acquired Microsoft consumer key to access OWA and 
    • So back in July, they shared what they knew and said, “we’ll get back to you,” which they now have
  • It’s a bit of a Rube Goldberg how this consumer key made it out into this exploit chain
    • It’s not totally unbelievable, because it happened
    • Started back in 2021, when a consumer signing crashed and the key that was stolen with a cache of data coming out of the crash dumps 
    • That crash dump had a key, it should have gotten caught, and it moved into the bugging environment and at a later point in time, Microsoft was compromised 
    • Storm-0558 pulled that key down, and they were able to use a consumer key to sign enterprise requests to get into mailboxes
    • Back in 2018, Microsoft introduced the common key and merged consumer and enterprise together – did not get if you had a consumer or enterprise key – decisions in 2018 and 2021 allowed this threat actor to get access to this information 
    • Hats off to Microsoft to put these threads together
    • And they were very transparent in how this all went down 
  • Going back to 2018
    • Microsoft has gone through a lot of iterations of this 
    • At some point in time, it seems like they were trying to solve identity access management and they accepted both these keys 
    • The threat actor was able to identify 
  • What improvements is Microsoft making in the wake of these findings?
    • In the post incident review, they do a really good job 
    • Enhanced credential signing 
    • Released enhanced libraries and authentication libraries 
    • They’ve patched this and it looks like they identified the scope of this particular key

This Week’s Hoodie/Goodie Scale


[Taylor]: 3.67/10 Hoodies
[Tim]: 5/10 Hoodies

Riders on the Storm-0558

[Taylor]: 8/10 Goodies
[Tim]: 8/10 Goodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!