Inside phishing kits: How cyber criminals lure victims

Phishing kits have become increasingly sophisticated tools in the arsenal of cybercriminals. These kits are collections of software tools, including HTML, images, code, and more recently, AI-driven technologies, used to design and launch phishing attacks. They can enable individuals with minimal experience to quickly create numerous phishing websites, significantly broadening the scope and reach of their malicious activities.

What are phishing kits?

Phishing kits allow scammers with little to no programming expertise to develop fake emails and websites that closely mimic legitimate ones. These counterfeit messages often appear to come from a trusted company, service, business partner, or supply chain source. When recipients click on links in these messages, they are tricked into revealing sensitive information such as passwords and personal details.

Phishing campaigns continue to target a wide range of banks and companies, attempting to deceive individuals into providing sensitive information or downloading malicious content. Many notable banks and big-name companies have been frequently impersonated and exploited in these phishing campaigns. These companies’ brand names are often used to create a false sense of security, leading unsuspecting users to fall victim to cybercriminals’ tactics.

Advanced features and techniques

A key trend in the evolution of phishing kits is the integration of AI capabilities. While not yet widespread, AI is beginning to show up in some kits, allowing for more sophisticated and convincing phishing attempts. These tools also include advanced evasion techniques such as bot avoidance and heavy obfuscation, which help keep the underlying infrastructure hidden from detection.

In review of more than 700 phishing kits going back to May of 2020, many are copied duplicates that people have customized. Despite these similarities, phishing kits typically come equipped with a range of features designed to simplify the process for attackers:

• Built-in admin panel: Provides an easy-to-use interface to manage phishing campaigns.
• Avoidance of bots and security companies: Includes evasion techniques to avoid detection and takedown.
• Geolocation query: Allows attackers to customize phishing attempts based on the victim’s location.
• Redirection of stolen information via Telegram API: Ensures stolen data is securely sent to attackers through channels like Telegram. Messaging applications like Telegram are often favored by attackers because they offer end-to-end encryption and other security features, making it more secure for attackers to collect, store, and easily share data for illegal purposes.
• Screen scraping: Enables attackers to capture and replicate the look and feel of legitimate websites by copying the content and layout directly.
• Use of public data sources, including social media: Leverages publicly available information, such as social media profiles, to tailor phishing attempts and make them appear more personalized and credible.

These features make it easy for even those with minimal technical knowledge to create effective phishing sites quickly.

One particularly interesting development is the increased use of CAPTCHA in phishing attacks. By incorporating CAPTCHA, scammers make their fraudulent sites appear more legitimate, increasing the likelihood that victims will fall for the trap. Additionally, there has been a notable rise in phishing messages that include QR codes, often tied to offers like Amazon Gift Cards. Scammers exploit scenarios like “Hello, I am Bob from [insert company], and I want to give you a free gift card,” to lure victims into revealing their information.

Exclusions and focus areas

While many phishing kits include templates for bank login pages, these are often more targeted toward individual accounts rather than corporate networks. For those focusing on ransomware and corporate network breaches, this makes such templates less relevant. Another emerging tactic is the use of a password re-entry feature. In this method, after a victim enters their password, they are prompted to re-enter it following an “incorrect password” message. This tactic is designed to prevent victims from using fake passwords to test if the page is a phishing site, thereby increasing the chances of capturing valid credentials.

As phishing kits continue to evolve and incorporate more advanced features, including AI, screen scraping, and the use of public data sources, the threat they pose will only increase. Staying informed about these developments is crucial for anyone involved in cybersecurity.