By Lorenzo Asuni, CMO, Ermes Cyber Security
The Phishing phenomenon is growing exponentially, and unlike the most common forms of scam, it is much more dangerous, because it is more democratized and accessible. The latest quarterly report of the Anti-Phishing Working Group (APWG) reported that over 611,000 phishing attacks were detected in January-March 2021 alone, marking a record for the month of January which recorded around 245,711 attacks. But why? What is the anatomy of a Phishing Kit? Generally, it consists of a set of ready-to-deploy files that can easily be copied to a web server and used almost as is with little configuration. The composition of a typical phishing kit can be broken down into resources and documentation, primary files and scripts, basic/advanced features, and detection avoidance.
These off-the-shelf kits usually provide a complete package of manuals, documentation, and detailed instructions located in the root folder of the phishing kit, to help hackers effectively use the files to execute phishing attacks. The instructions are very clear and easy to understand: they will explain to a potential phisher how to set up a virtual private server (VPS) and obtain a transport layer security (TLS) certificate. There will also be an explanation on how to install the phishing kit, default login credentials, and references to the creator of the kit. This new fraudulent system is therefore very dangerous, on one hand because it allows less experienced scammers to purchase a complex code from a cyber-criminal, while on the other because both parties receive the victim’s data at the time of the attack. For many of these kits, in fact, the only thing that a bad actor needs to do is to configure the drop email address to an account controlled by the phisher.
The kits typically use PHP as the back-end programming language to ensure it will work consistently on most servers. The files also contain all the CSS, HTML, JavaScript, and images necessary to create the phishing front-end web pages that will ultimately be presented to potential victims. These front-end pages typically impersonate the original login screens for targeted brands, banks, and other institutions. Phishing kits also provide scripts that automate the process for exfiltrating the sensitive data gathered. In the vast majority of cases, the data provided will simply be sent by email to a “drop address” or saved to some local text file.
Phishing kits have also become sophisticated enough to include anti-detection systems that can be configured to prevent detection by law enforcement agencies or independent researchers. They also include code that can be slightly or heavily obfuscated to avoid detection by automated anti-phishing solutions. They may even be configured to refuse connections from known bots belonging to security, anti-phishing companies, or search engines to avoid being indexed. Some kits may even use countermeasures that leverage geolocation. These kits also have the ability to encrypt data before exfiltration, or even send the collected data to a secondary location as a precaution or as a way for some phishers to secretly collect other phisher’s loot.
But there is good news in all of this: the Kit is actually a great source of data, as it provides information on the techniques that are used for phishing attacks and Phishing Kit analysis can therefore also lead to the identification of criminals. However, the kits are not recognizable by the user: for the more attentive ones it is possible to recognize the Phishing page itself, but to identify the kit hidden behind the page, special tools are needed.
The researchers’ analysis led by Ermes – Cybersecurity, the Italian Cybersecurity excellence, highlights how, in the evolution of writing Kits, it happens that attackers copy and paste parts of code from others Kits, adapting them to their own needs. Therefore, there are very few original kits, and this means that entire Clusters of correlated kits can be identified. Ermes analyzed a set of tens of thousands of phishing kits to identify around 6,000 kits targeting well-known brands. Ermes has significantly prioritized intelligence gathering and detection for phishing attacks, especially those making use of phishing kits. To combat phishing threats, Ermes has built a unique and proprietary dataset containing tens of thousands of phishing kits, which are continuously augmented by downloading phishing kits left by attackers on phishing sites that have been identified. Ermes routinely leverages this valuable resource to conduct research and map newly discovered phishing sites to a phishing kit family for the purpose of providing customers with critical insights and intelligence.
About the Author
Lorenzo Asuni graduated in Management at the University of Cagliari and at the Universidad Complutense de Madrid. He has over 10 years of experience in startup and scaleup filed as Marketing & Sales Director. In the past he launched AirHelp, YCombinator startup included among the top 100 global startups in 2016 Lunii, a French scaleup and led the growth of the Italian Enuan. He has an international experience between the USA and Europe, specialized in Growth Hacking and Digital Marketing. It has also recently launched two projects in the field of sport marketing and health-tech: respectively Teda and Healthy Virtuoso, a rapidly expanding reality in recent years.
In February 2022 he joined the Ermes team as Chief Marketing Officer leading the company’s initiatives aimed at disseminating knowledge and awareness of its innovative security system and will promote the large-scale expansion of corporate marketing to respond to the direction of international growth recently undertaken by the company.
https://www.linkedin.com/in/lorenzo-asuni/?originalSubdomain=it