The Resecurity HUNTER unit identified a new underground service called “Frappo”, which is available on the Dark Web. “Frappo” acts as a Phishing-as-a-Service and enables cybercriminals to host and generate high-quality phishing pages which impersonate major online banking, e-commerce, popular retailers, and online services to steal customer data.
The platform has been built by cybercriminals to leverage spam campaigns which distribute professional phishing content. “Frappo” is actively advertised on the Dark Web and on Telegram, where it has a group with over 1,965 active members – there cybercriminals discuss how successful they’ve been at attacking the customers of various online services.
Initially, the service popped up on the Dark Web around March 22, 2021 and has been significantly upgraded since then. The last update of the service was registered on May 1, 2022.
“Frappo” grants cybercriminals the ability to work with stolen data anonymously and in an encrypted format. It provides anonymous billing, technical support, updates, and the tracking of collected credentials via a dashboard.
“Frappo” was initially designed to be an anonymous cryptocurrency wallet based on a fork of Metamask and is completely anonymous, it doesn’t require a threat actor to register an account.
The service provides phishing pages for over 20 financial institutions (FIs), online retailers and popular services – including Amazon, Uber, Netflix, Bank of Montreal (BMO), Royal Bank of Canada (RBC), CIBC, TD Bank, Desjardins, Wells Fargo, Citizens, Citi and Bank of America.
The authors of “Frappo” provide several payments plans for cybercriminals depending on their chosen duration of the subscription. Like a SaaS-based services and platform for legitimate businesses, “Frappo” allows cybercriminals to minimize costs for the development of phishing-kits and to use the same on a bigger scale.
Notably, the deployment process of phishing pages is fully automated – “Frappo” is leveraging a pre-configured Docker container and a secure channel allowing it to collect compromised credentials via API.
Once “Frappo” is properly configured, statistical data will be collected and visualized, such as: how many victims opened the phishing page, accessed authorization and entered credentials, uptime, and the server status. Compromised credentials will be visible in the “Logs” section with additional details about each victim, such as IP address, User-Agent, Username, Password, etc.
The observed phishing pages (or “phishlets”) are high-quality and contain interactive scenarios that trick the victims into entering authorization credentials.
Cybercriminals are forever leveraging advanced tools and tactics to attack consumers globally. The protection of digital identity becomes one of the top key priorities for online safety, and a subsequently becomes a new digital battlefield – wherein threat actors are hunting on stolen data.
“Resecurity is committed to protecting consumers and enterprises all over the globe, and is actively involved in public-private partnerships to share actionable cyber threat intelligence (CTI) with financial institutions, technology companies and law enforcement to ultimately minimize the risk of credentials being compromised and data breaches being executed,” said Christian Lees, Chief Technology Officer (CTO) of Resecurity, Inc.
Resecurity is an Affiliate Member of FS-ISAC and an Official Member of Infragard, who aim to combat cybercriminal activity targeting financial services and Internet users globally.