Adversaries have evolved to target financial organizations in a new, effective way, introducing the cyber puppeteer kit. While cyber puppeteer kits are often confused with phishing kits, there is an important difference. Cyber puppeteer kits are more personalized, interactive and successful than the traditional phishing kit. This makes them a substantial threat to an organization’s employees, customers, critical assets and more. ZeroFox’s Senior Threat Researcher, Chris Bayliss, led a webinar on the topic to aid security practitioners in breaking down what a puppeteer kit is and how to thwart an attack before severe and irreparable damage is done. In this post, we will highlight some key takeaways and insights that Chris shared in his presentation. Be sure to take a deeper dive and watch on-demand for more.
Cyber Puppeteer Kits vs. Phishing Kits
Defining Phishing Kits
As referenced in our review of ZeroFox Senior Director of Threat Intelligence, Zack Allen’s 2021 RSA Conference presentation “My Phishing Kit Burnbook,” a phishing kit is sold and traded online across the dark web, deep web, social media sites and forums. These kits have varying levels of features much like a SaaS product. They have gained traction and become popular because they offer a high return on investment for threat actors.
The screenshots above show examples of extracted phishing kits that look similar in construction. However, once deployed, they target completely separate brands with unique workflows. Regardless of how advanced or modular these phishing kits are, they are all designed to allow less sophisticated threat actors to simply copy the content to a web host and begin phishing very quickly.
Defining Cyber Puppeteer Kits
With this baseline understanding of a phishing kit, let’s take a closer look at cyber puppeteer kits and what makes them different. A cyber puppeteer kit, also referenced as “live panels” among the threat actors that operate them, is a new breed of phishing kit designed almost exclusively to facilitate phishing attacks against the financial services industry.
They are called cyber “puppeteer” kits because the workflows of these kits are unlike any other. They are advanced, very dynamic, and require live interaction between the victim and the threat actor. Here the threat actor is essentially “pulling strings” of the victim, guiding them through a series of pages to unwittingly authorize access to their account.
The operator controls puppeteer kits through an administrative dashboard that they log into. This dashboard will notify the operator of new visitors to their phishing site and allow them to manually dictate what the victim should be prompted for in order to enable the attacker to gain complete access. During the victim workflow, the attacker takes the provided information and directly logs into the legitimate online banking platform, echoing back any security questions to the victim for them to answer. As this is near real-time, the operators can prompt the victim for whatever information they need, as many times as they require. This allows criminals to get around additional authentication steps such as SMS-based two-factor authentication, one-time password token and device verification.
To demonstrate how this interaction occurs between the victim and the attacker, Chris shared a pre-recorded video showing a kit in action. Take a closer look and watch the complete webinar to learn more. The cyber puppeteer kit used was edited to target the fictional “Bank of ZeroFox.” Still, the workflow of the phishing attack remains in place and follows standard processes followed when customers log into online banking platforms.
Disrupting Cyber Puppeteers
Given the risk that cyber puppeteer kits can pose, what can security teams do?
As mentioned earlier, these kits are designed for ease of use and deployment. It’s not uncommon for these kits to call assets directly from the targeted brand’s website or content delivery network (CDN). This leaves a trail in assets you control like referrer logs. (Referrer logging is “used to allow web servers and websites to identify where people are visiting their website for marketing or security purposes.”) An effective detection method is to look for these assets being called from URLs structured in specific ways.
For example, say a phishing kit contains a path “/onlinebanking/login/alert.php” and this page pulls in the company logo from the legitimate website. Reviewing the referrer logs for any calls to leverage an organization’s legitimate logo from URLs ending in that path will lead you straight to active deployments. For the collection and analysis of phishing kits, there are many open-source tools out there to try and extract kits from prevalent phishing feeds. ZeroFox’s threat researchers developed an open-source tool called Phishpond that allows users to browse these kits within a sandboxed environment.
Internally, ZeroFox has developed a solution that allows us to collect hundreds of unique phishing kits a day to determine exactly what phishing kit is behind an active phishing page. This insight enables our team to enrich the automated analysis of these domains and pull extra information such as victim data, weaknesses within the code and information on the threat actor themselves.
Our team also utilizes solutions such as web beacons which you can embed within your sites and assets. When a phishing kit pulls from your resources, we can immediately act and begin the threat disruption process. Additionally, we can monitor a vast number of public and private covert communication channels, dark web marketplaces and forums dedicated to the creation of kits and selling of victim data.
Phishing Kits, Cyber Puppeteer Kits … What’s Next?
Adversaries will continue to evolve their tactics in new, effective ways. Navigating the constantly changing threat landscape is no small feat, and security teams don’t have to do it alone. Combining AI processing, deep learning tools and dark ops operatives, ZeroFox combs through massive datasets across social media, the surface, deep and dark web to deliver relevant intelligence on threats targeting your business, people and sector. Reach out to our team to find out how we can help.
If you’re interested in learning more about cyber puppeteer kits and how to cut the strings in this specific cyber kill chain, take a deeper dive by watching Chris’ webinar on“Dismantling Puppeteer Kits Targeting Financial Organizations.” In addition to what we’ve covered above, Chris provides demonstrations, reviews the threat actor and victim workflow, details the cyber puppeteer kit ecosystem and more. You can also download ZeroFox’s white paper “The Anatomy of a Phishing Kit: Detect and Remove Emerging Phishing Threats” to learn more about phishing kits and how this evolving threat can be tackled at scale.