Reading:
What is a Phishing Kit?

What is a Phishing Kit?

March 24, 2022

A phishing kit is a set of software tools, such as HTML, pictures, and code that fraudsters can use to construct and launch phishing attacks. Phishing kits allow anyone with little or no phishing experience to quickly build hundreds or thousands of phishing sites and attack a wider audience. 

These toolkits enable scammers with little or no programming experience to develop components that look and behave like authentic emails and websites. The fake emails or text messages look from a reputable source, and recipients who click on a link are deceived into disclosing sensitive data such as passwords and personal information. These messages may appear to come from a different company, service, business partner, or supply chain source. 

What Does Phishing Kit Include? 

Phishing kits are usually divided into the following components: 

  • Imitation: These elements contribute to the login pages’ legitimacy. These can include images that seem like welcome banners as well as dynamically produced logos and branding based on the target’s email address. Legitimate links and “help” or “password reset” buttons may also be included in these components, directing cautious readers away from the page and legitimate sites.
Impersonating trusted websites is typical for phishing.
Impersonating trusted websites is typical for phishing.
  • Obfuscation: Scanners and automatic security detection systems can not see the true intent of the pages because of these components. Obfuscation techniques include encoding and particular functions to make resource extraction more difficult. Anti-sandboxing resources on the page or on the site called to enforce geofencing, CAPTCHAs, and other forms of obfuscation are examples.
With integrated browser developer tools, obfuscated data can be seen.
With integrated browser developer tools, obfuscated data can be seen.
  • Credential harvest: These components make it easier to enter, gather, and exfiltrate the credentials provided by the target user. These components also include details on where the user’s credentials are delivered, how they are stored, and which sites the user is directed to after providing them.
A phishing scam using Office 365 log-in screen.
A phishing scam using Office 365 log-in screen.

Phishing Kits in Hacker Markets 

Cybercrime tools and utilities are sold on the dark web to meet demand. Buyers may purchase whole phishing kits, which contain fake pages that impersonate legitimate companies and step-by-step instructions on how to begin an email phishing scam.

Threat actors are selling phishing kits at dark web black markets.
Threat actors are selling phishing kits at dark web black markets.

Phishing kits can be purchased for a few dollars, allowing even untrained hackers to launch a cybercrime campaign with little money or training. It’s worth noting that personal data costs anything from a dollar to thousands of dollars on the dark web markets

How to Detect a Phishing Kit? 

Since phishing kits are run by the server, the source code will not be seen unless the server makes a misconfiguration. Since some attackers do not pay attention to this situation, they usually leave the original zip file on the server, which is in a downloadable structure. 

This is an error that makes them easy to detect. The files can be seen more easily in some of the kits used because directory indexing is enabled. 

If the URL detected by Phistank, clean-mx is http://x.x.x.x/ outlook /index.php, then in some cases, the phishing kit source code can be obtained (kit) by requesting http://x.x.x.x/ outlook.zip. 

In the process of obtaining phishing kits made with automatic tools, this situation is also tested with species such as tar.gz. Obtaining the source code of the phishing kit will provide more information to the analysts. However, determinations can be made using various methods without obtaining a phishing kit. 

Phishing kits structurally contain two types of files: 

  • Resource files of the copy of the targeted website
  • Processing scripts are used to record stolen information and send it to attackers. 

Some parameters are helpful to determine whether a phishing kit is used on a website. These parameters were obtained from a previous phishing attempt. If one of these kits is used on a website, it can be scanned with free tools and commercial software to determine which phishing kit is involved. The methods used during the detection vary according to the tools. 

General parameters that are useful for phishing kit detection: 

  • The name of the phishing kit 
  • List of files included in the phishing kit 
  • Hash information of the files included in the phishing kit 
  • The size of the phishing kit 
  • Information about the developer of the phishing kit (name, mail, etc.) 
  • The e-mail address to which the obtained information (username, password, etc.) will be forwarded 
  • Signature of the phishing kit developer geolocation scripts 
  • Deception techniques 

A part of the result of the control performed with Kit-Hunter has been shared. Suspicious files and tags that enable these files to be found are given.

A phishing kit hunter tool report screenshot.
A phishing kit hunter tool report screenshot.

The screenshot below shows an attempt to search frequently used files, determine which phishing kit the attacker uses, and who prepared the phishing site.

Identifying which phishing kit was used.
Identifying which phishing kit was used.

TodayZoo Phishing Kit Analysis 

The framework, called TodayZoo by Microsoft, relies heavily on code from another phishing kit known as DanceVida. At the same time, other components closely resemble code from at least five other phishing kits. Microsoft originally spotted the phishing kit in December 2020. Still, a series of significant attacks targeting Microsoft users between March and June 2021 prompted the company’s threat intelligence team to investigate the kit.

The cybercriminal tool has been dubbed a “Franken-phish” due to its use of parts from other phishing kits. According to Tanmay Ganacharya, partner director for security research at Microsoft Defender, the kit appears to bring together various components of other phishing tools rather than use a phishing-as-a-service offering. 

Phishing kits usually consist of three main components:

  • An imitation ability that creates login pages that closely resemble a targeted brand.
  • A set of features obfuscate the pages’ malicious code, including anti-analysis features.
  • Code that harvests credentials or other sensitive data from the user and sends it back to the threat actor. 

Microsoft discovered that the code included in the two kits, TodayZoo and DanceVida, had roughly a 30% to 35% commonality in their examination. In terms of credential harvesting, the two codebases differed significantly. 

“We suspect the actors behind it came across an existing phishing kit template and changed the credential harvesting component with its exfiltration logic to create TodayZoo entirely for their evil objectives,” the Microsoft researchers state. 

The TodayZoo efforts followed the same four-step attack, with targeted consumers receiving email and subsequently being led to an initial page. The victims’ browsers were later transferred to a second page, which delivered them to a final landing page hosted by service provider Digital Ocean in almost every case. 

According to Microsoft, the code for TodayZoo and the scripts used to produce its pages had a considerable number of artifacts leftover from the source code. According to Microsoft, dead links and callbacks to other kits could imply that numerous phishing kit distributors and operators quickly take code from publicly available sources to assemble their tools. 

Companies Should Consider Taking Precautions

Credential phishing will continue to threaten businesses, especially if corporations do not properly filter out questionable email communications and senders. Companies should consider using multifactor authentication and hardening their mail server configurations to make phishing attempts more difficult. 

Researchers say phishing kits are becoming more and more modular—similar to malware. They state that other similar kits with a common code are currently well protected, but the problem remains as new kits and phishing pages come out every day.

Phishing Attacks Mostly Targeting Mobile Users

Phishing is still a common method of obtaining sensitive information and genuine credentials from innocent consumers. Successful attacks are less likely to occur through email clients and are more likely to target mobile users, according to the report of Jamf. They state: In the last year, around 10% of mobile users clicked on a phishing link, an increase of 160% over the previous year. 

According to the survey, Apple, PayPal, Amazon, and Microsoft were the most common brands targeted by phishing attacks in 2021. 

The Jamf research notes, “Phishing attack delivery has moved far beyond poorly written emails claiming ‘unclaimed lottery wins.'” “They’re not only more tailored and compelling, but they’re also reaching people in more locations than ever before, and they’re increasingly targeting business credentials and data in addition to consumers.”

Discover SOCRadar® Free Edition

With SOCRadar® Free Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets. Get free access