What is a Phishing Kit And How to Spot One

anti phishing protection

If you’re interested in learning more about the phishing kit landscape, ZeroFox Alpha Team is presenting this research at Shmoocon on February 1, 2020

An Introduction to Phishing Kits

Over the past five years, phishing attacks have spiked dramatically. They now make up a much larger percentage of total malicious websites than malware-related sites. The simplicity of phishing attacks, combined with tools like phishing kits that make them accessible and easy to deploy, are likely contributors to this spike. Phishing kits provide a complete scam waiting to be stood up. This allows phishing kit operators to run scams without having to worry about managing infrastructure or needing to design their own scams. This also expands the pool of would-be attackers by making phishing accessible, even to people who do not have the technical ability or desire to stand up their own scams. In addition, because phishing kits are designed for ease of use, they allow for scam operations to be stood up at a larger scale. Even if a domain is identified as malicious and taken down, it is simple for attackers to stand up the kit on a new domain, with very little downtime.

Malware and phishing sites detected by Google Safe Browsing, since 2006

Who is Targeted?

Brands targeted by phishing kits are attractive for cybercriminals due to the high value of the account, information or access held by that account. Phishing kit buyers could seek account credentials to pivot into email inboxes or other accounts that have more information to steal. Alternatively, they may seek credit card numbers, government identification details and even selfies with government IDs in order to sell to other cybercriminals, steal identities, or drain financial accounts. Some common targets of the kits tracked by ZeroFox include PayPal, Apple, Amazon, Netflix, Microsoft, American Express, and email providers.

Landing page of the 16Shop phishing kit, targeting Apple customers.

How Phishing Kits Operate

Phishing kit shops are often run like legitimate software businesses. The easier a kit is to set up and use, the more attractive it becomes to aspiring or professional scammers. Because of this, many kits offer frequent feature updates, user support, tutorial videos and community chatrooms for scammers to swap notes. New features may be new languages, new targets, or even new obfuscation methods that attempt to limit detection. ZeroFox recently reported that the Indonesian kit 16Shop expanded its offerings from Apple and Amazon, to include American Express and Paypal. Kits also often offer secondary tools to make running scams easier for kit buyers, like mass-mailers. Kits that offer users a one-stop-shop experience are generally the most straightforward to use, and this widens the pool of potential buyers. These kits are also typically affordable, with pricing ranging from $60 – $100 per kit on average. 

Pricing of Cazanova Haxor phishing kits.


Although phishing itself is nothing new or novel, the level of sophistication has improved. Phishing kits effectively lower the barrier to entry of phishing scams, to the point that little to no technical ability is required to buy one and begin scamming. The ease of use, affordability, and profitability of phishing mean that this attack vector will likely be around for years to come.

If you’re interested in learning more about the phishing kit landscape or anti-phishing software, ZeroFox Alpha Team is presenting this research at Shmoocon on February 1, 2020