Now Anyone Can Easily Phish Your Credentials with Phishing Kits

Phishing attempts are now within the reach of non-technical attackers, thanks to phishing kits

Phishing kits represent archive files with a set of scripts that ensure the work of a phishing website. This toolset enables attackers with modest programming skills to carry out massive malicious campaigns, which is the reason why they represent a point of interest for cybersecurity researchers. Phishing, or social engineering really, is one of the quickest ways to compromise a network. Phishing kits are the web component or the back-end of phishing attacks. It's the final step in most cases, where the criminal has replicated a known brand or organization. Once loaded, the kit is designed to mirror legitimate websites, such as those maintained by Microsoft, Apple, or Google. Developed using a mix of basic HTML and PHP, most phishing kits are stored on a compromised web server or website, and usually, only live for about 36 hours before they are detected and removed.

The detection of a phishing kit not only helps to discover hundreds or even thousands of phishing pages but can also serve as a starting point for an investigation to identify the toolkit's creator and bring them to justice. 

Phishing Kits For Sale 

Threat actors sell phishing kits as phishing-as-a-service across various dark web forums, inviting other cybercriminal affiliates into their phishing campaigns. Research revealed that phishing kits have gained the "Bestseller" tag in the underground market, with the number of ads and their sellers having doubled in 2019 compared to 2018. The growing demand for phishing kits is also reflected in their price which skyrocketed last year by 149 percent and exceeded US$300 per item. 

In 2021, Kaspersky detected 469 individual phishing kits, allowing it to block 1.2 million phishing websites. The most frequently detected phishing companies or brands targeted in 2021, according to Kaspersky, have been Facebook, Adidas, Amazon, Dutch banking group ING and German bank Sparkasse.

The Phishing Kit Landscape is Evolving 

Phishing kit developers are making more dynamic kits that can change the branding on a per-user basis to match the target email domain instead of being a generic and static page.

Others are going further and showing a live background of the real login page with the credential harvesting part of the kit overlaid. All of this is being done to help sell the social engineering aspect and give confidence to the target that they are logging into a real site. Phishing-as-a-Service is also on the rise as it makes the barrier to entry much lower, allowing a less skilled threat actor to distribute and manage phishing campaigns at a scale they might otherwise not be able to achieve.

Defensive Mechanisms for Phishing Attacks 

• Google's Safe Browsing API protects the "Click" part of the phishing chain. If a malicious website is already a part of a knowledge database and an unsuspecting user clicks on it, the Chrome browser will notify the user and warn them to turn back.
• Microsoft's Phishing Filter protects the "Click" part of the phishing chain. Just like Google's Safe Browser API, if a malicious website is already a part of a knowledge database and an unsuspecting user clicks on it, the Internet Explorer browser will notify the user and warn them to turn back.
• Gmail's Gold Key works at the "Deception" point of the chain. Provides an image that validates that an image is trusted.
• Domain-based Message Authentication, Reporting, and Conformance (DMARC) works at the "Delivery" portion of the chain. Domains that support DMARC create virtual handshakes to verify an email came from the intended domain. Fake emails are rejected or destroyed.