What are phishing kits? Web components of phishing attacks explained

Post a Fraud Alert:

Phishing is a social attack, directly related to social
engineering. Commonly centered around email, criminals use
phishing to obtain access or information. Phishing attacks can be
basic or customized toward the victim and their organization.

A phishing attack with a directed focus is called spear phishing.
If, for example, the criminal were targeting a group or person
within a company, they’d use spear phishing to make the email
look and feel legitimate. Usually this is done by using the
victim’s correct name and title, referencing legitimate projects,
known co-workers, or spoofing an email from a senior executive.

Vishing is the term given to phishing via telephone. Same goals,
same emotional triggers, only instead of email the criminal calls
the victim directly. Examples of common vishing attacks include
IRS scams and tech support scams. In both cases, the criminals
are hoping to get personal information and money.

No matter what type of phishing attack is launched, the goal is
to get the victim to do  something, such as reveal usernames
and passwords or share documents and other sensitive details.

Phishing attacks typically stress urgency or play on a person’s
willingness to help. Phishing attacks can also evoke a sense of
fear, by warning of serious consequences. Sometimes you’ll see
this as a threat to suspended services, the loss of critical
data, or various personal consequences. The most common
observation, though, is that phishing attacks start by triggering
the victim’s sense of curiosity. This is why the victim opens the
email to begin with.

What is a phishing kit? A phishing kit is the
web component, or the back-end to a phishing attack. It’s the
final step in most cases, where the criminal has replicated a
known brand or organization. Once loaded, the kit is designed to
mirror legitimate websites, such as those maintained by
Microsoft, Apple or Google.

The goal is to entice the victim just enough so they’ll share
their login details and other sensitive data, which will vary
depending on the phishing scam. Developed using a mix of basic
HTML and PHP, most phishing kits are stored on a compromised web
server or website, and usually only live for about 36 hours
before they are detected and removed.

If proper detections and security are in place, administrators
can usually block phishing attempts as they hit the mail server
and detect the kits as soon as they are uploaded. That’s the
exception and not the rule. Criminals register new domains by the
thousands, and as soon as one is flagged, another takes its
place.

Another downside is that criminals are all too familiar with
basic phishing detection techniques and develop their scripts in
a way that will assist in hiding the kit from the public. On the
back end (the web server), their kits look like normal websites,
and usually because the compromised host has a neutral or good
reputation, they can avoid passive detection.

It’s very common to see phishing kits block IP ranges belonging
to some of the world’s largest security companies (Kaspersky,
Symantec, McAfee, Palo Alto, Blue Coat), as well as universities,
Tor exit nodes, and tech giants, such as Google and Amazon. These
layered security approaches by the criminals are useful,
especially if the server administrator is lacking when it comes
to proactive measures.

How do phishing kits work?

Short answer? Exactly like a normal website. You’ll see the main
page, login fields, and after that either a short “thank you”
message or a form asking for additional information (as seen in
the videos below). Sometimes, after you’ve entered information
into the form, you’ll be forwarded to the legitimate website as
if nothing happened.

Why do phishing attacks work? Phishing attacks
work because humans are helpful by nature, curious, and as a rule
don’t expect bad things to happen to them as they go about their
daily routine. Phishing, or social engineering really, is one of
the quickest ways to compromise a network. Sometimes, the easiest
way in is to simply ask for access, and that’s why some red team
assessments will mark phishing or social engineering out of scope
[which defeats the purpose of the assessment if you ask me].

The most successful phishing attacks target one person and are
personalized to that individual in such a way that it doesn’t
feel like an attack at all. In fact, the phishing attempt will
feel more like a typical personal or business interaction.

Imagine working in HR and you get an email from a service like
Indeed – a service your company uses. It’s addressed to you,
you’re familiar with the service already, and it’s reporting an
error of some kind related to a recent job posting. You made this
posting yourself, so you’re naturally curious about the error,
and you’re already familiar with everything else.

You click the link in the email and are presented with a login
page, which then asks for basic additional information once you
enter your username and password. After filling out all the
forms, you’re directed to the Indeed website, and you’re still
not logged in. Were you phished?

Yes, you were. But dealing with recruiting websites is simply
part of the job for people working in HR, and they might not
realize anything’s wrong until long after the fact. Most
awareness training doesn’t cover third-party services and supply
chain attacks, so tricks like the one in the Indeed example are
almost always successful in the short term, especially if the
victim reuses passwords.

Other, more generalized, phishing attacks are lazy, but they’re
effective nevertheless. They’re the emails warning about missed
shipments or mail delivery problems. They’re blasted out to
thousands of people in a day, and maybe half-a-percent or less
will fall for the scam.

If the criminals are consistent, that can add up to thousands of
fresh victims a month. Given that password recycling is a
constant problem, those victims can translate into hundreds of
social media accounts and email accounts, which increases the
criminal’s victim pool as now they can launch a new attack using
a known contact as the originating source.

What can I do to protect myself? Question
everything and use two-factor authentication (2FA) whenever
possible. Get an email from your boss asking for sensitive data?
Call your boss and confirm. That Indeed example from earlier?
Don’t follow the link in the email, go to the website manually,
so you can ensure it’s the actual domain. Get an email from your
bank that spooks you? Call a local branch and speak to an
employee.

It might seem cold to question everything, and trust even less,
but security is something everyone has to consider, and asking
for confirmation is a good habit. In the business world,
especially when sensitive documents or financial matters are
concerned, confirmation could be seen as a value-add and proof
that you take your responsibilities seriously.

Don’t email the sender for confirmation, call them or try and see
them face to face (especially for business matters). Otherwise,
you might just get a response from the criminal telling you
everything’s okay.