Another day, another phishing kit. Over the past year, the ZeroFox Alpha Team has witnessed a spike in phishing kit and phishing-as-a-service sales. These phishing kits (like the 16Shop model identified by ZeroFox earlier this year) offer less sophisticated actors the opportunity to conduct full scale phishing operations quickly. The ZeroFox Alpha Team has obtained a Facebook phishing kit that is freely available on a popular Telegram cybercrime tools group, specifically targeting users of the popular social networking platform. The kit was first posted on July 30, 2020.
Phishing is a prime tactic often used by attackers to steal user data by masquerading as a trustworthy entity. In this case, the phishing kit uses a fake login page identical to a legitimate Facebook login page to trick the victims. This phishing kit also offers crawler/bot detection to prevent automated tools from scanning the fake page.
The Anatomy of the FudSender Phishing Kit
Phishing is a low-cost, low-barrier to entry form of cyber-attack that aims to obtain sensitive information or data by tricking a victim into believing that they are on a legitimate website. The phishing kit landing page spoofs the legitimate login page of Facebook and prompts the victim to enter credentials.
Two scripts, `login.php` and `access.php`, are loaded upon entering the credentials. The function of the `login.php` script is to grab the username and password information entered by the victim.
The other script, `access.php`, grabs the IP address of the victim and uses it to fetch details such as City, Region, Internet Service provider (ISP), User-Agent, Screen Resolution, etc., from the location intelligence provider site “ipapi[.]co”.
Both of the scripts `login.php` and `access.php` are configured in such a way to dump all the collected information from victims into a “logs.txt” file, every time a new victim enters their credentials.
The Facebook phishing kit has an extra crawler and bot detection feature that uses “CrawlerDetect”, a PHP class created by Mark Beech which can detect 1,000’s bots/crawlers/spiders via the user agent and http_from header. “CrawlerDetect” has been used by several phishing kits, including prolific ones such as 16Shop, as well as free kits like this one. It is open-source and available in Mark Beech’s public GitHub repository.
The phishing kit also has two additional scripts `badAgents.php` and `index.php` to further prevent bots from accessing the fake web page. The script `badAgents.php` grabs the IP address from the incoming HTTP/HTTPS requests and fetches its organization details from the location intelligence site “ipapi[.]co”. The organization information, which is typically the owner of the ASN returned by ipapi, is then compared against the list of organization names of security providers.
The second script `index.php` uses the hostname, user agent and IP address information already collected by `access.php` script and compares it against the list of hostnames, user agent and IP address of well-known phishing detection and URL scanner service providers. The phishing kit is designed in such a way that it responds with an “HTTP 404” error if it detects a bots/crawlers/spiders/web scanner.
This kit is available for free on EvilLeaks forum and their associated Telegram group has 5242 followers with almost 1100 views specifically of the Facebook phishing kit. The kit download page remains active at the time of this publication.
The texts in the screenshot shared by the EvilLeaks group in their Telegram post led us to another website fudsender[.]com, which is the actual source of the Facebook phishing kit. FudSender is an illegal shopping site that sells hacking tools, malware, and phishing kits.
The phishing kits offered by FudSender allow the attackers to spoof trusted brands, increasing the chances of someone clicking on a fraudulent link.
The Crawler/Bot detection feature makes this Facebook phishing kit hard to detect with traditional security scanning technology. The availability of phishing kits makes it easy for cybercriminals, even those with minimal technical skills, to launch phishing campaigns. A phishing kit bundles phishing website resources and tools that need only be installed on a server. Once installed, all the attacker needs to do is send out emails to potential victims.
Recommendations on How to Stop Phishing Kits
- Consider enabling multi-factor authentication for all accounts to prevent potential account takeover
- Always verify the sender of suspicious or unexpected emails and messages
- Never download attachments from unknown senders or suspicious emails
Phishing is a serious threat and hackers are deploying new tactics to steal information, for extortion, or even conventional fraud. The Facebook phishing kit is freely available and making it accessible to a wide range of would-be attackers, especially given that the group advertising this campaign has a considerable amount of followers. Protect your business from becoming the next victim of phishing kit attacks by actively monitoring for phishing kit activity before it reaches your customers. For more information on how phishing kits operate, read our full Anatomy of a Phishing Kit Whitepaper here.