Over the past year, more than 140,000 phishing websites have been discovered linked to a phishing-as-a-service (PhaaS) platform known as ‘Sniper Dz’, according to new research by Palo Alto Networks Unit 42.

“For prospective phishers, Sniper Dz offers an online admin panel with a catalog of phishing pages,” said Unit 42 researchers. “Phishers can either host these phishing pages on Sniper Dz-owned infrastructure or download Sniper Dz phishing templates to host on their own servers.”

Sniper Dz offers free-of-charge model for would-be phishers, allowing cybercriminals to easily launch phishing campaigns. However, Sniper Dz also collects the victim credentials stolen through these campaigns apparently to compensate the costs of running the service.

Researchers note that this business model has led to an increase in the number of cybercriminals signing up for the service.

Sniper Dz employs a unique strategy to evade detection. The platform hides phishing content behind a public proxy server, which automatically loads phishing content hosted on Sniper Dz's infrastructure, making it harder for detection mechanisms to trace the source of the attack.

In addition to using proxy servers, Sniper Dz users frequently exploit legitimate software-as-a-service (SaaS) platforms to host phishing websites, blending malicious content with trusted online services. To lure unsuspecting victims, phishers employ popular brand names, trending topics, and sensitive keywords on their phishing pages.

Once a victim’s credentials are stolen, the infrastructure often redirects them to malicious advertisements. The malicious ads can lead to the distribution of potentially unwanted applications (PUAs) or programs (PUPs), such as rogue browser installers.

Sniper Dz provides phishers with two main methods to conduct their attacks:

• Phishing pages hosted on Sniper Dz infrastructure: Phishers can utilize Sniper Dz’s servers to launch phishing attacks, making it easier for them to start without needing their own infrastructure.

• Downloadable phishing templates: For more advanced users, the platform offers phishing templates that can be hosted on the attacker’s own servers, giving them greater control over their campaigns.

Sniper Dz includes a backdoor within the phishing pages that allows the platform to track and collect the stolen credentials. This ensures that Sniper Dz can capture victim data, even when threat actors operate independently using their own infrastructure.