Understanding the Phishing Ecosystem: Types of Phishing Kits

Consumer-targeted phishing attacks are generally split into two buckets, conventional phishing, and targeted spear-phishing. More typical phishing attacks are commonly seen as low-level activity, which requires minimal skill, and only finds success with a small number of potential targets. This is often the case, however, behind the scenes of these phishing attacks is an ecosystem which supports and perpetuates phishing attacks, from sourcing phishing attack code to fraud and money laundering. This blog is the first in a series which dives into the ecosystem of phishing, and discusses the TTP’s of threat actors engaged in phishing attacks, and the typical lifecycle of such attacks. Within this specific post, we will be discussing the source, structure and types of phishing kits.

Sourcing the Source Code

The first stage of any phishing attack takes place well before a phishing site is deployed. The threat actor begins by obtaining or creating the phishing page which will be utilized. Depending on the competency of the threat actor, they may acquire a pre-made phishing attack, known as a phishing kit, or create their own. A phishing kit typically takes the form of an archive (.zip) file containing code and resources which allows for phishing attacks to be quickly and easily deployed to web servers.

Sourcing a kit itself is not a difficult task and requires minimal searching. Across covert channels, marketplaces, dark net, and clear net sources, phishing kits can be downloaded, traded, and purchased.

Phishing kits will vary dramatically in cost based on the complexity and capability of the kit. Simple kits containing only a few files of PHP code can cost anywhere between 10-100 USD to purchase. More complex kits which may require backend databases, integrate third-party API’s, have built in “anti-bot” or evasion techniques, or even use licensing terms, may cost in excess of several hundred dollars.

Types of Phishing Kits

There are a countless number of phishing kits available with more being made available every day. However, most phishing kits can be categorised into a handful of types, based on their functionality and intended targets.

Basic Kit

A simple, small archive file containing a handful of simple files, written in HTML, JavaScript and PHP. Will write victim data to local log files for the threat actor to collect manually.

Dynamic Kit

These kits contain specially made code and logic to present dynamic content to the victim, based on input. This can be in the form of presenting a fake consumer banking login page based on previous input, or presenting logos of their company based on their email address.

Puppeteer Kit

Specifically designed to phish for online banking credentials and enable indirect, “live” interaction between the victim and attacker, allowing the threat actor to prompt the victim for information from their online banking provider. This is often used to bypass OTP prompts, security phone calls, and secret words.

Commercial Kits

Many of the more popular phishing kits have been commoditized, with the authors licensing usage of their kits and offering online storefronts where customers can log in, purchase, configure, and download phishing kits. Popular examples include 16Shop and FreakzBrothers.

Frameworks

A more comprehensive but less popular solution for many would-be phishers is through the use of a phishing “framework”. These are essentially applications (rather than archive files), which can be run ad-hoc on web servers to automatically generate and deploy phishing pages. Depending on the framework, additional features are available such as reverse proxying, loading assets from third-party sites dynamically, and automatically importing new phishing pages contributors. These phishing frameworks are easily found on popular source code management platforms.

Typically, if a kit does not contain some decent form of DRM, encryption, or obfuscation to prevent unintended redistribution, it will not take long for “cracked” versions to appear. These kits have had their source code altered to bypass restrictions and checks which may take place to restrict usage. Likewise, kits may also be altered to change logos and wording but keep the main code base, thus changing the original targeted brand.

Structure for Different Types of Phishing Kits

Generally, phishing kits’ main code bases are made up primarily of HTML and PHP files and can contain additional resources for logic and rendering such as JavaScript files and images.

An average phishing kit will often contain code and directories grouped into the following functions:

Functions/Controls

PHP code dictating logic and shared functions for the victim workflow. This includes functions to write information to a log file or send an email at each step. Some kits heavily obfuscate this code in order to try and prevent redistribution or alteration.

Anti-bot/Blocking

This function can contain multiple, if not dozens, of scripts and PHP code files which outline IP addresses, geo locations, ISP’s and user agents which should be blocked or redirected to an external page, in order to protect or hide the phishing page. A common evasion technique for phishing kits is to block all requests from popular web crawling or indexing services, which may identify a phishing page. Some kits also use third-party services and API’s in order to provide this functionality, and check the reputation of a visitor's IP address.

Victim pages

HTML or PHP files containing the basic layout, design, and logic of the victim workflow. These are typically files named after URLs or pages you would commonly see when logging in to online platforms, such as “process”, “signin”, “login”, “onlinebanking”, “email”, “reset”, etc.

Assets

Files and folders containing image and JavaScript files which are loaded into the phishing pages. Not all kits will contain these assets and instead call them directly from the targeted brand or site.

Logs

Depending on the complexity of the phishing kit, victim data is commonly either emailed to the threat actor operating the kit, or saved locally to log files. These tend to be grouped together in a directory so the threat actor can quickly review and retrieve victim data from their deployment. These files, if located, often contain victim usernames, passwords, IP and geolocation information, credit card data and more.

In addition to the typical structure, other types of kits may contain resources and scripts, such as instructional videos on how to deploy, SQL scripts to generate tables and required database schemas, and other applications or scripts to aid in the effective deployment of the phishing attack.

Recommendations to Address Different Types of Phishing Kits

• Enable 2-factor authentication for all of your organizational accounts.
• Utilize account permissions best practices such as role-based access control, least privilege, and restricting root/admin permissions.
• Avoid opening unsolicited attachments and never click suspicious links
• Do not share passwords, and do not reuse the same password on different websites and applications.
• If you are alerted or suspect a compromised account, change the password immediately.

Conclusion

Phishing kit development and distribution is continuing to evolve as many consumer sites change their login and security processes, forcing kit authors to change their code in order to accurately reflect current designs and user experience. ZeroFox assesses with a high likelihood that the sophistication of phishing attacks will continue to increase, and the accessibility of pre-built phishing attacks will continue to allow lesser skilled threat actors to deploy and manage believable, complex, phishing attacks. ZeroFox analyses new phishing kits every day, and provides tools to allow security teams and researchers to analyze phishing kits themselves, to help in understanding the phishing threat landscape.