How Cyber Criminals Using Phishing Kits ?

2
What is Phishing?
Phishingisusingaccountlogin,banking,identity,etc.,inattacksplannedby
cybercriminalsagainstthetargetpersonororganization.Itisasocialengineering
attack,amongthemostpreferredthreatstoobtainingsensitiveinformation.
AttackerscanusetheinformationtheygetthroughthePhishingtechniqueto
obtaininitialaccesstothetargetsystem,ensurepersistence,bypassexisting
securitycontrols,andfraud.
Phishingthreatscanincludemaliciousfilesorlinksine-mailsspeciallycraftedfor
theattacker'stargetandfakewebpagesdesignedtoimpersonatethetarget
organization.
Themalicioustoolsattackersusetocollectsensitiveinformationfromusersby
creatingphishingwebsitesarecalledPhishingKits.
How Cybercriminals Use Phishing Kits
PhishingKitsidentifymalicioustoolsthatcombineallthecomponents
cybercriminalsneedtocreateaphishingcampaignwithfakeloginpages,scripts,
andtemplates.ThreatactorsoftenpreferPhishingKitsbecausetheirusedoesnot
requiretechnicalknowledgeandiseasilyaccessiblefromundergroundcrime
forumsandmarkets.
Phishersusethesekitstoquicklyandeasilycreatephishingsitesthatmimic
legitimatewebsitestostealsensitiveinformationsuchaslogincredentialsand
creditcardnumbers.
Phishing Kits
Figure 1:Example of Phishing Kit has sold in underground forums and markets

3
Phishingkitsaresoldorrenteddirectlybythecreatororothercriminalsusingthe
Crime-as-a-Servicemodel.Inadditiontosellingphishingkits,tradingorbartering
ofpreviouslycompromised webserversreferredtoas"Shells"or"cPanel"in
undergroundforumsoccur.Suchcampaignsarecloselyrelatedtothewebhosting
responsibleforhostingthephishingkits.Anotherservicearearevealedbythe
phishingserviceinundergroundforumsandmarketsisthetoolsusedtosendthe
email(SpammingTool)andthelistofspamemailrecipients(SpamList).
Anattackerusingaphishingkitexecutesatypicalattackasfollows:
1.Phisherbuysorrentsatargetedphishingkitfromundergroundforumsor
markets.Mostofthetime,allthecybercriminalwhowilllaunchthecampaign
hastodoiscustomizethephishingkitbyreplacingitwiththeaddressinhisuse
andextractitsfilestoapreferredlocationonthewebserver.
2.Theattackersearchesforhostingthephishingkitonalivewebserver.Atthis
stage,Phisherhasthefollowingoptions:
•Theattackerautomaticallysearchesforknownvulnerabilitiestoweb
serversandthenuploadsa"shell"tothewebserver,andtheattackercan
accessthisserveratanytime.
•Canaccessadministratorsoftwarerunningontheserverusingdefaultor
compromised credentials.Attackersfavorcompromised orfreehosting
serversbecauseusinganexistingliveURLsavestimeandmoneyby
eliminatingtheneedtoleaseanewdomain.
3.PhisherhastoforwardtheURLthatwillredirecttheusertothefakewebpageit
hascreatedtoitspotentialtargets.ThePhishercancarryoutthisprocess
throughphishingonsocialmedia,directmessages,oremail.Forexample,an
attackercansendanemailbygivingapre-preparedphishingtextandspam
emaillisttotheSpammingtoolhewilluse.
4.OncethePhisherhasdonetheprocess,Phisherwillsendthesensitive
informationenteredbytheirtargetviaemailorotherwaysthatcanbeobtained.
How Cybercriminals Use Phishing Kits
Phishing Kits in the Wild

4
Types of Phishing Kits
Phishingkitsvaryaccordingtotheirfunctionalityandintendedtargets.
BasicKit
BasicPhishingKitsconsistoftoolsandcomponentssuchasbasicHTML,PHP,and
JavaScriptfilestocreateafakewebsite.PhishersmayuseBasicKitstocreatestatic
webpageswiththemoststraightforwardfunctionality.Sensitivedataobtainedby
phisherswiththistypeiscontainedinlocallogfilesfortheattackertocollect
manually.
DynamicKit
Phishersusethesekitstodynamicallychangethepagecontentbasedonthe
user'sinputonthefakewebpage.Amongthemostcommonusagescenariosare
fakeloginpagesforbankingcustomers.
PuppeteerKit
Itidentifiesonlinebankingcredentialsandphishingkitsthebanksystemusesto
circumventsecuritymeasuressuchasOTP,securityphonecalls,andsecretwords.
Framework
Frameworkphishingkitsarephishingtoolkitsthatincludea"framework"or
"builder"tomakeiteasyforphisherstocreatephishingcampaigns.These
frameworksoftenincludecustomizabletemplatesandpre-builtlandingpages.The
phisherneedstoentertheirtargetinformation(suchasthenameofthecompany
they'reimpersonating),andthephishingkittakescareoftherest.
OneofthemostpopularphishingframeworksisBlackhole,whichenablesphishers
tocreatephishingcampaignsforvarioustargets,includingFacebook,PayPal,
Twitter,andLinkedIn.OtherphishingkitsincludeDarkMailer,phpBBPhishingKit,
andErebus.
How Cybercriminals Use Phishing Kits

5
How Cybercriminals Use Phishing Kits
Phishing Kit Components
APhishingKitusuallycontainsthefollowingcomponents.
PhishingTemplate
ThePhishingTemplatecontainsthetemplatethatmimicsthedesignofthetarget
website.Thus,Phishercanreplicateanofficialwebsiteexactly.Themostcommon
methodisdownloadingacompletecopyofawebsite(includingHTML,Image,
Video,andPdffiles)tothelocaldirectoryusingtheHTTracktool.
Server-sideCode
ThecodethatwillrunontheserversideisthepartofthePhishingKitthatdoesthe
actualwork.Thiscodeisresponsibleforcapturingsensitiveinformationenteredby
targetedusersandsendingittoPhisher.
Figure 2:Server-side executing login.php code snippet to capture login information

6
How Cybercriminals Use Phishing Kits
OptionalCode
PhishingKitsmaycontainadditionalcodetocounterPhishers'Anti-phishing
measuresorfiltertrafficunsolicitedbyattackers.CountermeasuresthatPhishers
canimplementinPhishingKitsmayincludetechniquessuchascodeobfuscation,
URLshorteningorredirection,andrandomlygeneratedURLs.
Ifunwantedtrafficisdetectedbyanyofthechecksmadeonthestatements
mentionedabove,apagewiththeerror"404PageNotFound"isdisplayed.In
addition,itcanapplytechniquesthatincluderedirectingdifferentPhishingKitsto
legitimatewebsitesorsearchengines.Itisalsopossiblethathighlyadvanced
PhishingKitscanonlybeaccessedfromcertaincountriesandusedoncertain
devicestoensureitonlyworksundercertainconditions.
Figure 3:IP filtering to prevent unwanted traffic to the fake website
Figure 4:User-Agent filtering to prevent unwanted traffic to the fake website
Figure 5:Hostname filtering to prevent unwanted traffic to the fake website

7
How Cybercriminals Use Phishing Kits
Conclusion
Phishingkitsareapowerfultoolforattackers,allowingthemtoeasilyand
efficientlycarryoutattacks.However,theyarealsorelativelyeasytodetectand
block.Phishingkitsusuallyrelyonwell-knownvulnerabilitiesorweaknessesin
ordertowork,andsokeepingup-to-datewithsecuritypatchingandusingeffective
anti-phishingsolutionscangoalongwaytowardsprotectingyourorganisation
fromthesetypesofattacks.
Whilephishingattackscanbedevastating,itisimportanttorememberthatthey
arenotalwayssuccessful.Infact,manyorganisationsandindividualsarenow
muchmoreawareofphishingattemptsandarebetterequippedtodealwiththem.
Bybeingvigilantandtakingstepstoprotectyourself,youcanhelptoensurethat
youarenotthevictimofasuccessfulphishingattack.