Cybercriminals use phishing kits loaded with tools and various phishing pages to steal (financial) credentials from unaware internet users. These phishers will send out SMS-messages, social media messages, phone calls, letters and emails to lure their victims to their phishing pages.
What is a phishing kit
A phishing kit is an easy to use phishing setup which contains scripts and instructions that allows cybercriminals to create and host phishing pages.
A phishing kit can be compared to a pre-made website which you will get in a .zip file. This .zip file contains all of the pages and scripts that are needed to run the website. You only need to place the content of the .zip file on the right location on the webserver, and you are in business. A phishing kit will contain tools and materials that allow cybercriminals to quickly setup phishing pages. In the following part of this blog, I will show you some examples of phishing kits, so you will understand what type of tools and materials these phishing kits contain.
uAdmin phishing kit
The uAdmin phishing kit is an all in one solution for cybercriminals which want to receive logs from phishing page, while being able to interact with their phishing page victims.. uAdmin uses injections, which are snippets of code that are injected into a victims browser, enabling the cybercriminal to gather more information from their victims.
TodayZoo phishing kit
TodayZoo phishing kit was analysed by Microsoft. In their post on the TodayZoo phishing kit they explain how the kit was using various methods and previously seen codes of earlier captured phishing kits.
Phishing kits being sold
Cybercriminals don’t need to spend much time to customize their phishing kits. There are many marketplaces where cybercriminals are offered ready to run phishing setups.
In just a couple of clicks scammers and cybercriminals purchase fully developed phishing pages, kits and tools to increase their chance of success. Phishing and credential harvesting attacks remain a serious threat. These types of attacks can target anyone, and the information which is obtained in these attacks can be used directly.
A custom phishing shop
On Telegram and other underground forums, there are many operators which deliver custom made phishing pages. This means that cybercriminals simply set out their desires and someone else will create the desired phishing page.
These custom phishing pages and kits come with full guides and support on how to install and properly configure the phishing content on (compromised) webservers. The phishing kit sellers provide full language support and are very quick in their response. They offer this special service to their “customers” to increase their own reputation. Increased reputation will lead to more sales for them.
Phishing kit detection
In most cases, phishing attacks are detected, this is because of the expertise of cyber security professionals world wide which share threat intelligence with various security companies and threat sharing platforms.
However, as explained before, there are custom made phishing pages and kits, these custom pages and designs have a longer life period as they first need to be identified by security researchers.
Credential theft as the first step
Cybercriminals obtain credentials via social engineering attacks, phishing, credential stealing malware, data leaks and insiders. Once they have credentials, they use this to move further into (compromised) networks. They set up backdoors, encrypt data, steal information and make sure to leverage the compromised network in such that at the end of their campaign they will see money.