Phishing Kits with Cloaked Techniques: The Next Generation of Phishing Attacks

This blog post covers the increasing prevalence of phishing attacks that use phishing kits with cloaking techniques and how ZeroFox’s new domain protection capabilities have advanced in response.

The continued proliferation of Phishing-as-a-Service (PhaaS) across dark web marketplaces has significantly reduced the barrier of entry for threat actors seeking to deploy advanced phishing campaigns. Sellers in the digital underground now offer a varied set of competitive services, including phishing kits, which according to ZeroFox’s Intelligence Team, can be purchased for as little as $50 per month, or just $400 per month to access more sophisticated packages. 

Phishing kits allow threat actors to easily set up a host of malicious sites that can be quickly replicated to create complex phishing attack campaigns. They include capabilities such as geo-blocking, the ability to block engagement from unwanted sources (web crawlers, researchers, bots) and the capacity to leverage domain generation algorithms that can spawn random domains to rotate between during attacks.

The Anatomy of a Phishing Kit

Phishing kits are a set of software tools and templates that are created and used by threat actors to facilitate the launch of phishing campaigns. These tools are commonly sold across the dark web and make it easy for anyone, regardless of technical skill, to deploy phishing attacks. 

Phishing kits typically include components such as:

• Phishing website templates that look like legitimate websites
• Phishing email templates that look like they come from a company
• A web server to host the phishing website
• A mail server to send phishing emails
• Instructions on how to set up and use the phishing kit

Phishing kits are constantly evolving: there are currently an estimated 4,000 to 6,000 phishing kits out in the wild, according to various studies amongst vendors and research groups. Recently, ZeroFox has begun to see an increase in phishing kits that include evasion techniques designed to bypass detection technologies.

What Are Cloaked Phishing Attacks?

Cloaking, in the context of phishing, is a set of strategies and techniques that threat actors use to circumvent commonly used phishing detection tools. While there are a plethora of cloaking techniques available as part of phishing kits, the most common cloaking techniques include:

• Javascript rendering occurs when phishing sites render only on browsers where javascript is enabled 
• User agent filtering that targets devices by browser user agent, which is often used to filter out automated scrapers that utilize settings that don’t match realistic victim profiles.
• Timing delays are implemented that delays the loading of the phishing content to avoid detection from automated systems.
• IP block lists are used to block known IPs of cloud providers and non-residential networks as a means to avoid detection from automated systems utilizing those IPs.
• Geo-blocking filters out IPs that are outside of the targeted region from being able to load the phishing content and instead show benign content that would not cause concern.

While not all phishing attacks utilize phishing kits with cloaking techniques, ZeroFox and industry experts both estimate that roughly 34% of all phishing attacks now contain cloaking techniques designed to mask phishing attack campaigns.

New ZeroFox Capabilities to Combat Cloaked and Emergent Phishing Attacks

ZeroFox’s anti-phishing solution helps identify and protect against phishing web pages leveraging cloaking techniques. Existing ZeroFox capabilities help customers identify phishing sites cloaked in user agent filtering, timing delays and javascript rendering techniques. Recently, we have begun to roll out geo-specific residential proxies that allow the platform to mimic the IP address of potential victims in a targeted area. 

A residential proxy allows internet traffic to appear as if it’s coming from another residential IP address anywhere in the world. To accomplish this, we leverage a broad network of more than 100 million proxy IP addresses around the globe. This capability enables customers to avoid any IP and geo-blocking technique lists utilized by more advanced phishing kits. 

In addition to enhancements to our anti-cloaking capabilities, we recently announced additional anti-phishing protections that help us stop phishing at the source. The product enhancements include: 

• Favicon Search to monitor for fraudulent web pages that use your brand’s favicon, helping to preserve your brand integrity and customer loyalty by preventing phishing attacks.
• Weblog Monitoring to analyze customers’ web server logs to provide better coverage and more quickly identify and disrupt fraudulent URLs. This ensures a safer, more reliable customer experience by mitigating the risk of users being redirected to malicious websites.
• Enhanced Subdomain Coverage to enable a more comprehensive monitoring scope, leading to quicker identification and takedown of phishing sites, thus saving your security teams time and resources.
• SSL Monitoring to ensure that only secure and verified certificates are in use. This minimizes the chances of unauthorized activities and certificate vulnerabilities, aligning with compliance requirements and bolstering customer trust.

These new capabilities reinforce ZeroFox’s commitment to providing customers with a premier domain protection experience, especially amidst the proliferation of cloaked attacks.For more information about how we stop emergent phishing attacks, visit https://www.zerofox.com/products/domain-monitoring-tools/ and download our data sheet.