{"id":106149,"date":"2022-03-24T10:00:40","date_gmt":"2022-03-24T10:00:40","guid":{"rendered":"https:\/\/kasperskycontenthub.com\/securelist\/?p=106149"},"modified":"2022-03-23T10:51:58","modified_gmt":"2022-03-23T10:51:58","slug":"phishing-kit-market-whats-inside-off-the-shelf-phishing-packages","status":"publish","type":"post","link":"https:\/\/securelist.com\/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages\/106149\/","title":{"rendered":"Phishing-kit market: what’s inside “off-the-shelf” phishing packages"},"content":{"rendered":"

What are phishing kits?<\/h2>\n

One of the most common tricks scammers use in phishing attacks is to create a fake official page of a famous brand. Attackers tend to copy design elements from the real website, which is why users can find it hard to distinguish the fake pages from the official ones. Even phishing page domain name can often look like the real web address of a certain brand, as cybercriminals include the name of the company or service they are posing as in the URL. This trick is known as combosquatting.<\/p>\n

\"Combosquatting:<\/a><\/p>\n

Combosquatting: registering a fake website with a domain name which contains “facebook.com”<\/em><\/strong><\/p>\n

Given phishing websites can be efficiently blocked or added to anti-phishing databases, cybercriminals have to generate these pages quickly and in large numbers. Creating them from scratch over and over again is time-consuming, and not all cybercriminals have the web-development and administration skills it takes. That is why cybercriminals favor phishing kits, which are like model aircraft or vehicle assembly kits. They consist of ready-made templates and scripts which can be used to create phishing pages quickly and on a massive scale. Phishing kits are fairly easy to use, which is why even inexperienced attackers who do not have any technical skills can get their heads around them.<\/p>\n

Cybercriminals tend to use hacked official websites to host pages generated using the phishing kits or rely on companies which offer free web-hosting providers. The latter are constantly working to combat phishing and block the fake pages, although phishing websites often manage to serve the intended purpose within their short period of activity<\/a>, which is to collect and send personal data of victims to criminals.<\/p>\n

Contents of phishing kits: basic and complex phishing kits<\/h2>\n

Phishing kits are ready-to-deploy packages which require the bare minimum effort to use. Moreover, their developers usually provide instructions with their products for inexperienced attackers. Phishing kits usually are designed to generate copies of websites representing famous brands with large audiences. After all, the more potential victims there are, the more money there is to be stolen. The phishing kits we detected in 2021 most frequently created copies of Facebook, the Dutch banking group ING, the German bank Sparkasse, as well as Adidas and Amazon.<\/p>\n

The most basic option phishing kits offer is a ready-made phishing page which is fairly simple to upload on a web-hosting service.<\/p>\n

\"Contents<\/a><\/p>\n

Contents of simple phishing-kit archive<\/em><\/strong><\/p>\n

These phishing kits have two essential components for practical reasons:<\/p>\n

    \n
  1. An HTML page with a phishing data-entry form and related content (style, images, scripts and other multimedia components). Attackers aim to make the page look identical to pages on the company’s official website whose users they want to target in the attack. However, the fake page’s HTML code differs from the original code.<\/li>\n
  2. The phishing script that sends data victims enter on the fake page to cybercriminals. It is usually a simple script which parses the phishing data-entry form. In the phishing script’s code, cybercriminals also indicate the Telegram bot authentication token, e-mail address or other third-party online resources where stolen data will be sent using the phishing kit. The phishing kit’s creators often comment the line where an address or token needs to be entered.<\/li>\n<\/ol>\n

    \"Telegram<\/a><\/p>\n

    Telegram bot token in a phishing kit’s code<\/em><\/strong><\/p>\n

    Instead of providing ready-to-load pages, more sophisticated phishing kits contain their elements (images, forms, phishing script, text fragments etc.), along with a separate script which creates new pages from these elements.<\/p>\n

    \"Contents<\/a><\/p>\n

    Contents of a phishing-kit archive: phishing pages created automatically when index.php file is run<\/em><\/strong><\/p>\n

    There are also advanced phishing packages which not only come with all the tools and elements needed to assemble the web pages, but also include a control center with a user interface. Attackers can use this control center to tailor how a phishing page functions, e.g., by specifying how they would like to receive stolen data. Some sophisticated phishing kits allow to generate pages which target users from different countries using a built-in dictionary containing the same phrases in different languages.<\/p>\n

    \"Dictionary<\/a><\/p>\n

    \"Dictionary<\/a><\/p>\n

    Dictionary from an advanced phishing kit<\/em><\/strong><\/p>\n

    In addition to tools for attackers to create phishing pages themselves, some phishing kits can include scripts for sending out messages to potential victims via popular messaging apps or e-mail which contain links to phishing pages. These mailings tend to be the go-to channel cybercriminals use to get their pages out there. The contact details of potential victims can be found on the dark web, where a colossal amount of databases are sold which detail clients of various companies and services.<\/p>\n

    Many of the scripts for sending out messages included in phishing kits or sold separately can add a URL parameter in the links which contains the recipient’s e-mail address. This parameter is used extensively in corporate phishing attacks. Some known phishing kits which target the corporate sector are able to capture the e-mail domain located in the URL parameter and generate a phishing page tailored to this domain name. There are several common ways to deploy this dynamic content generation:<\/p>\n