Understanding the Phishing Ecosystem: Phishing Kit Victim Workflow and Data Exfiltration

7 minute read

This blog is the third part of a series on understanding the phishing ecosystem. In this post, we will review phishing kit victim workflow and data exfiltration. Make sure to check out the other blogs in this series as well.

Phishing campaigns will have many different TTPs based on the vertical or brand being targeted. Phishing designed to obtain credentials for retail brands or marketplaces can contain very different stages compared to phishing designed to obtain online banking or credit card information from victims.

While campaigns and phishing kits can vary dramatically, typically the victim workflow and data exfiltration methods remain consistent across attacks, based on vertical being targeted. In this advisory we will cover some of the typical behaviors associated with more popular types of phishing kits.

Details: Phishing Kit Victim Workflow and Data Exfiltration

A good indicator of the behaviors involved in a phishing attack can be inferred from understanding the type of phishing kit being used. In an earlier post in this series we outlined these types and how they function. Additionally to this, victim data exfiltration methods can be closely tied with the type of kit, as the more complex a kit’s victim workflow may have, the more options the operator will have for collecting victim data.

Example of structural differences between basic kit and advanced kit
Figure 1: An example of the structural differences between a basic kit (left), and more advanced commercial kit (right).
Source: ZeroFox Threat Research

Basic kits have a very linear victim workflow (A victim workflow refers to the steps the victim of a phishing attack will follow when interacting with a phishing page). As the underlying code offers no additional functionality outside of presenting a login form and collecting the input data, the data requested from the victim will be quite basic such as username and password. These kits are designed only to collect basic data and sets of credential pairs, so the verticals or brands they target tend to be retail or consumer-based brands. For example, online marketplaces, subscription based services, music and video streaming platforms make up the bulk of targeted platforms. They are ideal targets for these kits, as many of the platforms only require a username and password to log in with two-factor authentication or MFA being optional and still not widely enforced.

phishing page prompting username and password
Figure 2: A basic phishing page prompting for a username and password. Clicking on social network authentication prompts presents the victim with other phishing pages impersonating the selected social network.
Source: ZeroFox Threat Research

With these basic requirements, the victim workflow will consist of one or more simple login pages, with the victim being redirected to the legitimate website the phishing attack was impersonating once the input has been submitted. Behind the scenes credentials will be logged locally, such as to a text file which sits on the web host hosting the phishing page, as well as potentially being emailed to the threat actor who deployed the phishing page.

Phishing kit victim workflow source code
Figure 3: Source code from a phishing kit, sending victim credentials to the configured exfil/dropper email address.
Source: ZeroFox Threat Research

Commercial or “Phishing-as-a-Service” kit authors will produce kits targeting many brands or verticals, but reuse a lot of code and assets between them. These phishing kits can cost threat actors, in some cases, several hundred USD to purchase- and to justify this cost their capabilities are far more advanced than typical basic kits. Workflows will vary between the targeted brand, and be customisable by the threat actor deploying the phishing kit.

With the increased vigilance of anti-fraud checks from both banks and online vendors, threat actors also adapted their techniques and tools to extract more sensitive information from victims to facilitate bypassing “know your customer” (KYC) checks. Many of the latest phishing kits now include additional stages in the victim workflow to prompt the victim to provide identity documentation. Requested information can range from a single “selfie” photo, to photos of their passport or driver’s license, which in combination with other victim data can be used for fraudulent purposes.

phishing page requesting user to upload identity documents
Figure 4: Phishing page requesting the user to upload identity documents
Source: ZeroFox Threat Research

For exfiltrating victim data, writing to a local text file or emailing the operator always remains a standard and popular choice, however, many of these kits have extra features in order to notify operators or securely exfiltrate victim data in case a web host is taken down or a dropper email address is closed. Telegram and other encrypted messaging apps are commonly used as the platforms support forms of automation with the use of bots or scripts which can be created to easily collect and send data elsewhere.

source code showing phishing kit victim workflow
Figure 5: Source code from a phishing kit, sending victim data via a Telegram bot to a private chat operated by the threat actor.
Source: ZeroFox Threat Research

One of the more complex types of victim workflows stem from the use of puppeteer kits. These kits are specifically designed to phish for online banking credentials and other sensitive information from individuals whilst impersonating popular financial institutions. The workflow is bespoke, as the operator manually dictates what questions the victim is asked, what data should be collected, and how long they even have to wait between each form to be presented to them.

phishing kit victim view
Figure 6: Victim view (left), being prompted to provide specific characters from their memorable word. Operator view (right), selecting which characters are required based on prompts from the legitimate online banking platform.
Source: ZeroFox Threat Research

At each stage of the workflow, after the victim has entered the requested details, the threat actor operating the kit will immediately take that data and use it to directly log in to the legitimate online banking platforms, effectively “man-in-the-middle”-ing the login process. Any security questions, two-factor authentication, or MFA prompts they may receive are simply forwarded to the victim via the phishing kit.

Victim data and other other sensitive information is stored within a database on the back end. This database does not need to exist on the same host as the actual phishing page, so as sites may be taken down and access may be lost to a web host, victim data is still held elsewhere for the threat actor to collect or later sell on.


  • Enable 2-factor authentication for all of your organizational accounts.
  • Utilize account permissions best practices such as role-based access control, least privilege, and restricting root/admin permissions.
  • Avoid opening unsolicited attachments and never click suspicious links
  • Do not share passwords, and do not reuse the same password on different websites and applications.
  • If you are alerted or suspect a compromised account, change the password immediately.


Phishing kits continue to adapt their capabilities based on security advances for online platforms, and as login processes change. It is within phishing kit authors and operators best interests for these phishing attacks to be believable as possible, and mirror the legitimate process- whilst also being flexible enough to trick victims into providing more data than may typically be requested. This can be done through a combination of believable phishing kit victim workflow and phishing lures, pressuring the potential victim into providing their information quickly, before something negative may happen to their account. Similarly, as vendors improve anti-abuse processes such as closing email accounts associated with phishing, threat actors pivot to new platforms to host their infrastructure which do not have such robust processes.

Tags: Phishing

See ZeroFox in action