Phishing Kits: Saturating the Threat Landscape

An often-overlooked aspect of cybersecurity is that humans represent the weakest link in the chain. Research shows that 90% of business compromise attacks take place by email and 90% of these involve some form of human error.[1] Phishing attacks, which rely on social engineering techniques, are especially problematic. According to The Mimecast Threat Intelligence Report, Black Hat USA Edition, the volume of impersonation attacks increased by 38% between January and March 2020 to nearly 46 million.

These phishing scams are typically propagated through phishing kits. These tool sets allow cybercriminals with near zero programming skills to create components that mimic legitimate emails and websites. The spoofed emails or text messages appear to be sent from a legitimate source, and a recipient who clicks a link is tricked into divulging information that can include credentials and personal data. These messages may appear to originate from another company, service, business partner or a source in the company’s supply chain.[2]

What makes phishing kits so problematic is that they include website development software that provides a low code or no code graphical user interface (GUI) for generating email templates, graphics, text and web pages. In some cases, the creators of the crimeware also offer lists of users—along with their phone numbers and email addresses—for an additional fee. Some refer to these software packages as Phishing as a Service kits (PaaS kits).[3] The number of phishing kits available currently reaches into the thousands.[4]

How Phishing Kits Work

The goal of any phishing attack is to lure recipients into divulging sensitive and personal data. This includes spear phishing, which is aimed at specific organizations or people; whaling, which attacks high profile business leaders, and vishing, which relies on the phone or voicemail to steal credentials and trick people into transferring sensitive data or funds.

For the criminal, the challenge is to generate messages and websites that appear authentic and convincing. Phishing kits simplify this task by automating processes and personalizing messages on a large-scale basis. The creator of the kit typically clones authentic websites, making the necessary modifications to launch a phishing attack—such as replacing the real username and login fields with a script that steals credentials. The kit’s user now has everything needed to dupe an unsuspecting employee into visiting the cybercrook’s website.[5]

Phishing kits are available on the dark web or from underground hacking forums for as little as $50 a month[6] or about $300 per kit.[7] There are also instructional videos on YouTube that explain how to use a kit.[8]

Why You Should Be Concerned

Cybercriminals frequently post these phishing site on a legitimate public cloud service like AWS or Azure. Then they send out their targeted messages and wait for the recipients to visit their site and handover their credentials. The phisher will receive an alert when they get a bite. After 24 to 48 hours, they will typically pull down the site —before posting a new one.

Because the cloud services that host these phishing kits have authentic SSL certificates and the sites often appear to be actual domains, users—even those who are relatively sophisticated and knowledgeable—can frequently be duped into entering their credentials and sharing sensitive data. The thieves then use this data to steal intellectual property or launch more elaborate and destructive attacks on the victim’s company, including ransomware attacks.

Researchers estimate that one highly sophisticated phishing kit that zeroes in on  major companies and high-ranking employees has successfully targeted more than 150 victims since mid-2019.[9] According to their report, the most frequently targeted sector was financial services, though executives at real estate, legal, consulting, manufacturing and energy companies were also among the victims. A harmless PDF file that appears to be shared from a trusted source via Microsoft Office 365 contains a link that takes the recipient to the phishing site.

Neutralizing the Threat

Phishing kits dramatically lower the barrier for cybergangs and online criminals to conduct sophisticated phishing campaigns. In most cases, the perpetrator simply has to select a target, supply a URL and tap a button to launch an attack. Attackers can also use encryption and other tools that make identifying them more difficult.

These kits are also becoming more sophisticated and able to allude detection by conventional tools. Some kits are able to block connections from specific IP addresses and hosts associated with security vendors, hide fields in browsers that might trigger security alerts, use document spoofing methods that elude security scanners and take advantage of advanced content injection methods that incorporate elements or include links from legitimate websites.[10]

In spite of this, there are still ways for your organization to neutralize the phishing kit threat. One key is to focus on the red flags that they generate. According to Phishing.org, these include:[11]

• A sender’s email addresses that originates from outside your company’s normal communication channels.
• Unusual domains, including messages that appear to come from a security or support service.
• Users copied on messages that include an unknown group or unfamiliar names.
• Messages received at strange hours.
• Odd email subject lines.
• Unexpected or odd attachments in an email.
• Content that includes unusual or subpar images, or poor grammar.

Other important safety measures include deploying aggressive spam controls, tightening browser settings and making use of specialized software to identify fake domains and block dangerous websites. Incorporate two factor authentication and voice verifications into work processes is also a smart move.[12]

Last but not least, it’s critical to provide ongoing training to employees, so they are better prepared to spot a phishing, spear phishing, whaling or vishing attack.

The Bottom Line

Phishing kits have been around for years in one form or another, but in recent years they have become far more widespread and dangerous. Recognizing the threat they pose and taking steps to neutralize them is critical to protecting an enterprise, and understanding how they work is a good place to start. With the right security precautions in place and ongoing employee awareness training, the risk of being victimized by a phishing email scheme is greatly diminished.

[1] “100 Days of Coronavirus (COVID-19),” Mimecast

[2] What are phishing kits? Web components of phishing attacks explained,” CSO.

[3] “Phishing Kit,” WhatIs.com

[4] “Researchers Analyze 3,200 Unique Phishing Kits,” HelpNetSecurity.

[5] “How Do Attackers Build and Use Phishing Kits?,” TechTarget.

[6] “Phishing-as-a-service threats abusing cloud services,” TechTarget.

[7] “Phishing kits: The new bestsellers on the underground market,” HelpNetSecurity.

[8] “How to Create a Phishing Kit Part 1,” YouTube.

[9] “Sophisticated Phishing Kit Used by Multiple Groups to Target Executives,” SecurityWeek.

[10] Ibid.

[11] “Social Engineering Red Flags,” Phishing.org.

[12] “What are phishing kits? Web components of phishing attacks explained,” CSO.