Off-the-shelf tools give attackers everything they need to build authentic-looking phishing campaigns
Organizations must understand the tools used by cyber-scammers if they’re to tackle the growing phishing threat, according to a white paper that examines the DIY kits that are driving the phenomenon.
Written by threat intelligence firm ZeroFOX, ‘The Anatomy of a Phishing Kit’ explores the phishing kit business model and ecosystem, which make the “process so easy that even the least capable of scammers is able to pull off a phishing campaign”.
Small-time cybercriminals need not manage their own infrastructure or design their own scams, thanks to the growing prevalence of readymade phishing kits.
These off-the-shelf tools give attackers everything they need to build an authentic-looking website and lure victims into entering sensitive personal information via emails or social media posts purporting to come from trusted sources.
Installation and features
To install the kit, wannabe cybercriminals set up a dropper email inbox, and sometimes a Telegram channel, ZeroFOX researchers said.
They then configure the kit to send results to droppers; buy infrastructure via web hosts, domains, or compromised websites; and unzip a file containing the kit onto a target machine.
Operators then spam the phishing kit URL, usually via SMS, email, or social media.
The research focuses on sophisticated vendors that emulate the licensing model used by legitimate Software-as-a-Service (SaaS) vendors, rather than unlicensed or ‘cracked’ kits.
These premium vendors typically provide technical support via social media or slick tutorial videos hosted on the dark web or anonymous chat applications.
Via administrator dashboards, users can access detailed logs of visits to their malicious sites and the sensitive information disclosed, as well as training guides and other tools.
If their phishing sites are identified as malicious and taken down, attackers can quickly set up new domains to minimize downtime.
Easy-to-configure ‘letters’ – emails that spoof legitimate organizations – are also available from vendors, as well as from phishing communities found on social media, chat apps, or invite-only forums.
Phishing kits are helping to fuel a rise in email and social media scams
In response to growing demand, the number of phishing kits advertised on underground cybercrime marketplaces doubled, while prices jumped from $122 to $304, between 2018 and 2019, according to Group-IB research dissected by The Daily Swig.
And Akamai reported in April that phishing kits were being repurposed to target a newly dispersed workforce during the Covid-19 pandemic.
“The greater availability and market of the kits definitely contributes to the overall increase in” phishing activity, Zack Allen, director of threat operations at ZeroFOX, tells The Daily Swig.
With browser-based exploits having been almost eliminated by the latest browser security features, “the money in malicious websites specifically is almost exclusively in phishing now.”
The ZeroFOX Alpha Team found that the price of phishing kits – invariably paid in cryptocurrency – appeared to be roughly pegged to the popularity of the targeted sectors.
The most widely imitated sectors according to the latest phishing figures (PDF) from the Anti-Phishing Working Group – SaaS/webmail (accounting for 33.5% of campaigns), financial institutions (19.4%), and payment platforms (13.3%) – were also targeted by the most expensive licensed kits.
“It is clear that financial institutions offer lucrative opportunities for attackers to profit due to the nature of financial transactions and inherent trust built between financial consumers and the institutions themselves,” said the ZeroFOX researchers.
SaaS/webmail kits, meanwhile, “could be used by spammers to do additional pivots through email in order to obtain access to accounts owned by the victim.”
Kits that spoofed social media companies (only accounting for 8.3% of campaigns) and cloud storage vendors (3.9%) were priced for the cash-strapped cybercrook and often circulated for free.
Know thine enemy
Organizations must ramp up their counter-phishing efforts in the face of proliferating, increasingly well-equipped enemies, suggests Zack Allen.
“In some ways, it’s a lot harder to catch phishing pages due to the use of kits,” he explains.
The latest innovations include “geo-fencing victims to a particular region of the world, as well as only allowing mobile users to view the site. This is typically a result of an actor who can configure and code these kits for their own use, but since it’s now consumer-focused, much less-sophisticated operators can use these features.”
Organizations should defend “against an ecosystem rather than just a link in an email,” advises the white paper.
“Analyzing the kits, the developers behind the kits as well as the TTPs of the operators can provide a cybersecurity team a holistic view of who and what they are combating,” the report states.