The W3LL cybercrime gang offers a cybercrime-as-a-service model that represents a revolutionary change in the way that malicious tools are created, spread, and implemented.
At first glance, W3LL may look like just another threat actor in the ever-growing list of cybersecurity bad guys. But W3LL is a game-changer that will require cybersecurity professionals to change their game accordingly. They’ve already compromised thousands of accounts on one of the world’s most popular platforms, and their business model is becoming the new standard for cybercrime-as-a-service.
What is W3LL?
The W3LL Gang has been lurking around the dark web since about 2017. A recent in-depth report from Group-IB called W3LL Done: Uncovering Hidden Phishing Ecosystem Driving BEC Attacks explores the group’s history and capabilities.
The simple explanation is that W3LL provides a members-only, underground marketplace–the W3LL Store–that sells phishing kits. These kits are powerful enough to bypass multi-factor authentication, designed for hacking corporate Microsoft 365 accounts, and easy to use for even inexperienced hackers.
W3LL likely chose to target Microsoft 365 because it is so common. Microsoft 365 is the primary distribution model for what was once known as the Microsoft Office suite of products. This family of productivity software and cloud-based services includes such widely-used applications as Outlook, OneDrive, Teams, PowerPoint, SharePoint, and many more.
More than 1.3 million companies in the United States alone use Microsoft 365 as a part of their daily operations. The product is incredibly popular worldwide as well, with over 330,000 companies using it in the UK and nearly 146,000 in Canada.
The W3LL marketplace is not small–there are currently over 500 active customers and over 12,000 items for sale. W3LL is sophisticated enough to employ both reseller and referral programs to help grow its sales by word of mouth. And W3LL’s reputation is good (among the bad guys): Group-IB estimates that W3LL sold more than 3,800 items for an estimated revenue of $500,000 between October 2022 and July 2023.
As a buyer looking to get into cybercrime, W3LL makes an alluring offer. Its W3LL Panel costs about $500 for three months and comes with training videos and customer support! For the hacker looking for something more, there are 16 other fully customized tools for use in BEC (business email compromise) attacks.
How Does W3LL Cause So Much Damage?
W3LL and its users have been on a relentless campaign to compromise Microsoft 365 accounts across multiple continents. An estimated 850 phishing campaigns have been deployed in an attempt to compromise more that 56,000 corporate Microsoft 365 accounts, primarily in the U.S., the U.K., Australia, Germany, Canada, France, the Netherlands, Switzerlands, and Italy. At least 8,000 accounts have been successfully hacked.
W3LL attacks fall under the heading of business email compromise (BEC). Email compromise is one of the most financially lucrative crimes for a hacker and deeply damaging to the companies that fall victim. In 2022, businesses lost more than $2.7 billion to BEC scams, according to the FBI’s Internet Crime Complaint Center. That’s 80 times more than the cost of ransomware.
In a typical BEC scam, a criminal sends an email message that appears to come from a known source and to make a legitimate request. W3LL’s SMTP Sender product enables hackers to send spam messages like this en masse. The messages may be from lookalike accounts or websites that use a slight variation on a legitimate address. They may contain a request to disclose confidential information that will give the criminal access to company accounts (spear phishing). Or the message may contain malware that, if clicked, could download and be used to infiltrate a company network and gain access to legitimate email threads about sensitive topics like billing or invoices.
Why Are W3LL’s Methods Revolutionary?
From a product standpoint, W3LL’s methods seem carefully considered and well executed. The mastermind(s) behind the organization developed a set of tools that they could have used to carry out attacks on their own with considerable success. But they saw–and seized–a bigger opportunity. Not every wannabe cybercriminal has the chops to develop their own tools. But plenty of wannabe cybercriminals have some cash to invest in ready-to-use products.
The W3LL Store appears to be run more like a standard business marketplace. Goods and services are for sale. Training is available for buyers in need. Referral programs reward word-of-mouth sales. And customer support is on hand to help with issues.
The financial success of W3LL (remember: $500,000 in sales in 10 months) will almost surely inspire imitators. W3LL has only cornered the market on a small niche of hacking tools primarily targeted at one specific software family. Security professionals should expect to see similar marketplaces pop up in the future.
How the Security Community Should React
Constant vigilance is needed as vendors like W3LL are likely to multiply and improve their product offerings. Doubling down on security awareness training for all users of Microsoft 365 will help to address the risks specific to W3LL and its suite of products.
Remind all users to be aware of the following at all times:
- Don’t click on anything in an unsolicited email or text.
- Carefully examine the email address, URL, and spelling used in all correspondence. Scammers will use small differences to look similar to the real thing (like, W3LL and Well).
- Be cautious about downloading…anything.
- Never open an email attachment from someone you don’t know.
- Set up multi-factor authentication on any account that allows it.
- Verify payment and purchase requests in person or by calling the person to make sure the request and payment details are legitimate.
- Verify any change to account numbers or payment procedures in the same way.
- Be wary of anyone pressuring you to provide payment or details quickly or off the schedule you have established with business partners.
As long as there is money to be made by hackers, there will be cybercrime-as-a-service vendors like W3LL. The good news is that even as hacking businesses evolve, the tactics for staying safe are largely the same. Follow the security awareness training advice above and remember to stay on top of the news. And keep all your software updated and patched!