Features, Insight, Opinion

The evolution of phish kits

By Emile Abou Saleh, Regional Leader, Middle East, Turkey & Africa, Proofpoint

Credential phishing has evolved in skill and complexity over the past few years, this is largely due to the advancements in phishing kits. Gone are the days when the credential phishing pages could be regularly spotted by checking the typos or by looking for the ‘green check box’ in the browser address bar to know you are secure. Nowadays, threat actors no longer need to clone websites and make their own kits but can buy them on the open web.

Proofpoint researchers have observed the evolution of phishing from threat actors spraying out thousands of emails in hopes of someone, somewhere clicking on a link to focused attacks against company employee login portals. In fact, a recent Proofpoint research found that almost a third of CISOs in the UAE and KSA believe they are at risk of suffering a phishing attack.

Unfortunately, no matter how sophisticated the company’s email strategy is, some phishing emails will ultimately make it to the inbox. And these messages are extremely effective. These attacks leverage phish kits that can dynamically reach out and grab the logo and branding for a target’s email domain, creating custom phishing pages that are difficult to distinguish from legitimate login sites.

Phish kits also can collect Oauth and multifactor authentication (MFA) tokens in real-time, sending them back to threat actors to use before they expire. The goal is to entice the victim just enough so they share their login details and other sensitive data, which will vary depending on the phishing scam.

Developed using a mix of basic HTML and PHP, most phishing kits are stored on a compromised web server or website, and usually only live for about 36 hours before they are detected and removed. Phish kits leverage methods to try to block researchers from discovering the phish and can be the initial foothold threat actors need into an organisation.

Credential Phishing and Phish Kits

All phishing is social engineering. With credential phishing, the threat actor is trying to get the target to give up information that they normally would not, such as user credentials or tokens, for the purpose of account compromise.

While you would not hand your username and password to a stranger on the street, you might provide the information to your “bank” if they were asking to check on possible account fraud, or you may log into your account via a link in a work email that prompts you to view an invoice.

A credential phishing kit, or phish kit, brings the ability to deploy an effective phishing page to threat actors regardless of their skill level. They are pre-packaged sets of files that contain all the code, graphics, and configuration files to be deployed to make a phishing page. These are designed to be easy to deploy as well as reusable.

They are usually sold as a zip file and ready to be unzipped and deployed without a lot of “behind the scenes” knowledge or technical skill.

Evolving phishing kit landscape

The phishing kit landscape is evolving. Phishing kit developers are making more dynamic kits that can change branding on a per user basis to match the target email domain instead of being a generic and static page.

Others are going further and showing a live background of the real login page with the credential harvesting part of the kit overlaid. Still others are adding MFA collection capability to get around the rise of MFA protections on valuable accounts.

All of this is being done to help sell the social engineering aspect and give confidence to the target that they are logging into a real site. Phishing-as-a-Service is also on the rise as it makes the barrier to entry much lower, allowing a less skilled threat actor to distribute and manage phishing campaigns at a scale they might otherwise not be able to achieve.

Checks and balances

While phishing kits keep evolving, a critical piece of email security strategy is education, where users need to identify phishing emails. Some tips include:

  • Don’t trust the display name
  • Look but don’t click
  • Check for spelling mistakes
  • Analyse the salutation
  • Don’t give up personal or company confidential information
  • Beware of urgent or threatening language in the subject line
  • Review the signature
  • Don’t click on attachments
  • Don’t trust the header from email address
  • Don’t believe everything you see

Blocking phishing attempts

With proper detection and security in place, administrators can usually block phishing attempts as they hit the mail server and detect the kits as soon as they are uploaded. That’s the exception and not the rule.

Phishing not only affects consumers or individuals, but can also be the foothold a threat actor needs to get around the hardened corporate perimeter to be able to steal data and drop further payloads, including information stealers and ransomware. While user education reduces overall impact, there will always be a percentage of people that fall victim to the persistent and evolving threat of credential phishing. Therefore, having an ongoing and comprehensive cyber security awareness training in place is crucial to safeguard employees.

Previous ArticleNext Article


The free newsletter covering the top industry headlines