The issue of phishing attacks is on the rise, and it is becoming increasingly dangerous due to its accessibility and democratization. The Anti-Phishing Working Group (APWG) reported a record number of over 611,000 phishing attacks detected in January-March 2021, with January alone accounting for around 245,711 attacks. This exponential growth raises concerns regarding the anatomy of a phishing kit and the ease with which it can be utilized by attackers.
A typical phishing kit consists of a collection of ready-to-deploy files that can be easily copied to a web server and used with minimal configuration. These off-the-shelf kits come with comprehensive manuals, documentation, and instructions located in their root folder. They provide hackers with step-by-step guidance on setting up a virtual private server (VPS) and obtaining a transport layer security (TLS) certificate. Additionally, the instructions explain how to install the phishing kit, provide default login credentials, and reference the original creator of the kit. This level of detail makes it dangerously simple for less experienced scammers to launch sophisticated phishing attacks and gather victims’ data.
The kits commonly utilize PHP as the back-end programming language to ensure compatibility with most servers. They also contain CSS, HTML, JavaScript, and images to create the front-end web pages that resemble the login screens of targeted brands, banks, or institutions. These pages are designed to deceive and trick potential victims into submitting their sensitive information. Moreover, the kits include scripts that automate the process of collecting and exfiltrating the gathered data. Typically, the stolen data is sent via email to a “drop address” or saved in a local text file.
To stay one step ahead of authorities and independent researchers, phishing kits have become more sophisticated by incorporating anti-detection systems. These systems can be configured to evade detection by law enforcement agencies or automated anti-phishing solutions. The kits may also employ code obfuscation techniques to further evade detection. Some kits even refuse connections from known bots belonging to security and anti-phishing companies or search engines to avoid being indexed. Additionally, they leverage geolocation to prevent detection and utilize encryption methods to secure the exfiltrated data. Some kits even send the collected data to a secondary location to ensure their loot remains secure.
Despite the alarming growth and sophistication of phishing kits, there is a glimmer of hope. These kits can serve as a valuable source of data for researchers and cybersecurity professionals, providing insights into the techniques used in phishing attacks. Ermes Cyber Security, an Italian cybersecurity company, analyzed tens of thousands of phishing kits to identify approximately 6,000 kits targeting well-known brands. By closely studying these kits, Ermes was able to identify clusters of correlated kits, allowing for better threat intelligence and identification of criminals. Ermes has developed a unique and proprietary dataset containing tens of thousands of phishing kits, enabling them to offer critical insights and intelligence to their customers.
In conclusion, phishing attacks fueled by the availability and democratization of phishing kits present a significant threat to individuals and organizations worldwide. The ease with which these kits can be acquired and deployed makes them an attractive tool for both novice and experienced cybercriminals. However, companies like Ermes Cyber Security are actively working to combat this threat by analyzing phishing kits and providing crucial intelligence to help protect potential victims and identify criminals. Nonetheless, it is essential for users to remain vigilant and employ security measures to avoid falling victim to phishing attacks.