Exclusive: Welcome “Frappo” – Resecurity identified a new Phishing-as-a-Service

The Resecurity HUNTER unit identified a new underground service called ‘Frappo’, which is available on the Dark Web.

“Frappo” acts as a Phishing-as-a-Service and enables cybercriminals the ability to host and generate high-quality phishing pages which impersonate major online banking, e-commerce, popular retailers, and online-services to steal customer data.

The platform has been built by cybercriminals to leverage spam campaigns that distribute professional phishing content. “Frappo” is actively advertised in the Dark Web and on Telegram where it has a group with over 1,965 active members – there cybercriminals discuss how successful they’ve been at attacking the customers of various online services. Initially, the service popped up in the Dark Web around 22^nd March 2021, and has been significantly upgraded since then. The last update of the service was registered May 1, 2022.

“Frappo” grants cybercriminals the ability to work with stolen data anonymously and in an encrypted format. It provides anonymous billing, technical support, updates, and the tracking of collected credentials via a dashboard. “Frappo” was initially designed to be an anonymous cryptocurrency wallet based on a fork of Metamask and is completely anonymous, it doesn’t require a threat actor to register an account.The service provides phishing pages for over 20 financial institutions (FIs), online-retailers and popular services – including Amazon, Uber, Netflix, Bank of Montreal (BMO), Royal Bank of Canada (RBC), CIBC, TD Bank, Desjardins, Wells Fargo, Citizens, Citi and Bank of America.

The authors of “Frappo” provide several payment plans for cybercriminals depending on their chosen duration of the subscription. Like a SaaS-based services and platform for legitimate businesses, “Frappo” allows cybercriminals to minimize costs for the development of phishing-kits, and to use the same on a bigger scale.

Notably, the deployment process of phishing pages is fully automated – “Frappo” is leveraging a pre-configured Docker container and a secure channel allowing it to collect compromised credentials via API. 

Once “Frappo” is properly configured, statistical data will be collected and visualized – such as how many victims opened the phishing page, accessed authorization and entered credentials, uptime, and the server status. Compromised credentials will be visible in the “Logs” section with additional details about each victim such as IP address, User-Agent, Username, Password, and etc.

The observed phishing pages (or “phishlets”) are high-quality and contain interactive scenarios which trick the victims into entering authorization credentials.

Phishing-as-a-Service like “Frappo” are successfully used by threat actors for things like Account Takeover (ATO), Business Email Compromise (BEC), Payment and Identity Data Theft.

Cybercriminals are forever leveraging advanced tools and tactics to attack consumers globally. The protection of digital identity becomes one of the top key priorities for online safety, and subsequently becomes a new digital battlefield – wherein threat actors are hunting on stolen data.

“Resecurity® is committed to protecting consumers and enterprises all over the globe, and is actively involved in public-private partnerships to share actionable cyber threat intelligence (CTI) with financial institutions, technology companies and law enforcement to ultimately minimize the risk of credentials being compromised and data breaches being executed” – said Christian Lees, Chief Technology Officer (CTO) of Resecurity, Inc.

Resecurity® is an Affiliate Member of FS-ISAC and an Official Member of Infragard which aim to combat cybercriminal activity targeting financial services and Internet users globally.

Detailed analysis of the Phishing-As-A-Service Frappo is available here:

https://resecurity.com/blog/article/welcome-frappo-the-new-phishing-as-a-service-used-by-cybercriminals-to-attack-customers-of-major-financial-institutions-and-online-retailers

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Frappo)

[adrotate banner=”5″]

[adrotate banner=”13″]