Report an incident

Get 24/7 incident response assistance from our global team

Talk to sales

Just fill out the form, and our representative will contact you soon.

Join the Cybercrime Fighters Club

Please review the following rules before submitting your application:

1. Our main objective is to foster a community of like-minded individuals dedicated to combatting cybercrime and who have never engaged in Blackhat activities.

2. All applications must include research or a research draft. You can find content criteria in the blog. Please provide a link to your research or research draft using the form below.

W3LL done: uncovering hidden phishing ecosystem driving BEC attacks
← Research Hub

W3LL done: uncovering hidden phishing ecosystem driving BEC attacks

Access untapped details into the scope and sophistication of the W3LL’s BEC-focused criminal enterprise

Background

As Business Email Compromise (BEC) becomes more prevalent, Group-IB uncovers the developing tactics, tools, and infrastructure employed by specific threat groups orchestrating the attacks.

Discover the shift in attack strategies as adversaries evolve from low-skilled fraudsters to sophisticated criminal networks. With phishing remaining an integral intrusion vector in BEC attacks, this report delves into this trend using the case of the W3LL threat actor’s BEC-focused phishing operation.

Group-IB experts conducted a detailed analysis of the main trends in BEC, scrutinizing the W3LL phishing ecosystem, their underground marketplace, linear evolution, and how they compromise business email accounts utilizing W3LL tools. To counter this formidable threat, the report highlights concrete mitigation steps to prevent the incidence and impact of BEC attacks for various organizations.

Key Insights

The W3LL phishing tools ecosystem

W3LL enterprise is a private all-in-one ecosystem of phishing tools, specifically designed to compromise corporate email accounts. According to Group-IB’s rough estimates, W3LL’s Store’s turnover for the last 10 months may have reached $500,000.

Private club of threat actors

Around 500 individual threat actors of various proficiency in cybercrime are using extremely efficient W3LL tools to conduct BEC-focused phishing campaigns.

W3LL's primary weapon

W3LL Panel OV6 - a fully automated private phishing kit with adversary-in-the-middle technique is implemented, allowing criminals to bypass the benefits of 2FA.

Customizable attacks

As of August 2023, in addition to the W3LL Panel phishing kit, the marketplace offers 16 other fully customized tools covering almost the entire BEC kill chain, including SMTP senders, phishing kit, account discovery instruments, reconnaissance tools, and more for conducting complex and highly effective BEC phishing campaigns.

Targeted regions and sectors

W3LL phishing tool kit is being used in attacks all over the world - with over 56,000 corporate Microsoft 365 accounts targeted in the USA, UK, Australia, and Europe between October 2022 and July 2023. Industries frequently affected include manufacturing, IT, financial services, consulting, healthcare, and legal services.

In this report

Emerging trends in BEC attacksEmerging trends in BEC attacks

Learn about the new techniques implemented by threat actors like adversary-in-the-middle phishing kits, phishing email attachments, advanced traffic filtering, etc, to improve the efficiency of their attacks.

Modern BEC toolsetModern BEC toolset

Know the full spectrum of unique tools used by well-organized criminal businesses to execute successful phishing operations.

The kill chain of recent BEC attacks The kill chain of recent BEC attacks

Learn about the attack schemes and tactics employed by threat actors to manipulate victims and compromise their corporate accounts.

Organization of the advanced cybercriminal groupOrganization of the advanced cybercriminal group

Gain insight into the structure of modern cybercrime communities and the factors that make their attacks most effective.

Protection and mitigation recommendationsProtection and mitigation recommendations

Arm yourself with the knowledge provided by Group-IB experts on efficient defense measures against BEC attacks, one of the most dangerous cyber threats in the world.

How does a BEC attack impact your organization?

Regardless of the scheme chosen by the threat actors, the overall impact on a company that has suffered a BEC attack is financial loss (from several thousand to several million euros), data leaks, reputational damage, claims for compensation, and even lawsuits.

Activate advanced protection against cyber threats

Group-IB’s security ecosystem provides comprehensive protection for your IT infrastructure based on our unique cyber intelligence and deep analysis of attacks and incident response.
Threat Intelligence
Threat Intelligence
Managed XDR
Managed XDR
Digital Risk Protection
Digital Risk Protection
Business Email Protection
Business Email Protection

Relevant reports

We see the full picture of the evolving cyber threat landscape thanks to unique tools for monitoring the infrastructure used by cybercriminals and data from battlefields:

Hi-Tech Crime Trends 2022/2023
Trend Report
Hi-Tech Crime Trends 2022/2023
Benefit from Group-IB’s flagship cybersecurity report and explore the current threat landscape trends and...
Learn moreRead report
Old Snake, New Skin: Analysis of SideWinder APT activity in 2021
Threat Research
Old Snake, New Skin: Analysis of SideWinder APT activity in 2021
Group-IB Threat Intelligence team uncovered a previously undocumented spear phishing campaign carried out by...
Learn moreDownload report
OPERA1ER: Playing God Without Permission
Threat Research
OPERA1ER: Playing God Without Permission
The group relied solely on known “off-the-shelf” tools to steal millions from financial service...
Learn moreDownload report