• United States



Senior Staff Writer

What are phishing kits? Web components of phishing attacks explained

Jun 02, 20218 mins
PhishingSecuritySocial Engineering

The notion of a phishing kit can be a bit confusing for those of us who don't deal with them on a regular basis. Here's a brief overview of phishing kits and how they work.

phishing threat
Credit: Thinkstock

Phishing is a social attack, directly related to social engineering. Commonly centered around email, criminals use phishing to obtain access or information. Phishing attacks can be basic or customized toward the victim and their organization.

A phishing attack with a directed focus is called spear phishing. If, for example, the criminal were targeting a group or person within a company, they’d use spear phishing to make the email look and feel legitimate. Usually this is done by using the victim’s correct name and title, referencing legitimate projects, known co-workers, or spoofing an email from a senior executive.

Vishing is the term given to phishing via telephone. Same goals, same emotional triggers, only instead of email the criminal calls the victim directly. Examples of common vishing attacks include IRS scams and tech support scams. In both cases, the criminals are hoping to get personal information and money.

No matter what type of phishing attack is launched, the goal is to get the victim to do  something, such as reveal usernames and passwords or share documents and other sensitive details.

Phishing attacks typically stress urgency or play on a person’s willingness to help. Phishing attacks can also evoke a sense of fear, by warning of serious consequences. Sometimes you’ll see this as a threat to suspended services, the loss of critical data, or various personal consequences. The most common observation, though, is that phishing attacks start by triggering the victim’s sense of curiosity. This is why the victim opens the email to begin with.

What is a phishing kit?

A phishing kit is the web component, or the back-end to a phishing attack. It’s the final step in most cases, where the criminal has replicated a known brand or organization. Once loaded, the kit is designed to mirror legitimate websites, such as those maintained by Microsoft, Apple or Google.

The goal is to entice the victim just enough so they’ll share their login details and other sensitive data, which will vary depending on the phishing scam. Developed using a mix of basic HTML and PHP, most phishing kits are stored on a compromised web server or website, and usually only live for about 36 hours before they are detected and removed.

If proper detections and security are in place, administrators can usually block phishing attempts as they hit the mail server and detect the kits as soon as they are uploaded. That’s the exception and not the rule. Criminals register new domains by the thousands, and as soon as one is flagged, another takes its place.

Another downside is that criminals are all too familiar with basic phishing detection techniques and develop their scripts in a way that will assist in hiding the kit from the public. On the back end (the web server), their kits look like normal websites, and usually because the compromised host has a neutral or good reputation, they can avoid passive detection.

It’s very common to see phishing kits block IP ranges belonging to some of the world’s largest security companies (Kaspersky, Symantec, McAfee, Palo Alto, Blue Coat), as well as universities, Tor exit nodes, and tech giants, such as Google and Amazon. These layered security approaches by the criminals are useful, especially if the server administrator is lacking when it comes to proactive measures.

How do phishing kits work?

Short answer? Exactly like a normal website. You’ll see the main page, login fields, and after that either a short “thank you” message or a form asking for additional information (as seen in the videos below). Sometimes, after you’ve entered information into the form, you’ll be forwarded to the legitimate website as if nothing happened.

Some phishing kits offer features designed to increase their effectiveness. Email security company Trustifi reported in March 2021 that its researchers identified several new features including:

Anti-bot protection. Some organizations use security bots that check where phishing links lead. The Spox phishing kit can fool these bots by sending them to a 404 error page rather than the fake Chase Bank page its victims see and the bot would recognize as malicious.

Real-time phishing. This feature, found on a Brazilian phishing kit, gives phishers the ability to decide which fake page the victim sees depending on their actions as they move through the phishing site. 

QR code generation. Brazil’s PIX instant payment system requires a QR code to transfer funds, and the Brazilian phishing kit mentioned above is capable of generating that QR code.

Some phishing kits target consumers, while others are designed to gather corporate credentials. In its recent Phishing for Finance report, Akamai noted that the Kr3pto phishing kit targets customers of financial institutions. It goes after usernames, passwords, and secondary authentication data such as SMS-based PINs or security question answers. It tricks victims by spoofing as many as 11 well-known brands.

The Ex-Robotos phishing kit uses an API to streal corporate credentials. According to the Akamai report, the Ex-Robotos kit was very active in early 2021. Akamai monitored 220,000 hits to the Ex-Robotos API IP address in a 43-day period from January to February.

Why do phishing attacks work?

Phishing attacks work because humans are helpful by nature, curious, and as a rule don’t expect bad things to happen to them as they go about their daily routine. Phishing, or social engineering really, is one of the quickest ways to compromise a network. Sometimes, the easiest way in is to simply ask for access, and that’s why some red team assessments will mark phishing or social engineering out of scope [which defeats the purpose of the assessment if you ask me].

The most successful phishing attacks target one person and are personalized to that individual in such a way that it doesn’t feel like an attack at all. In fact, the phishing attempt will feel more like a typical personal or business interaction.

Imagine working in HR and you get an email from a service like Indeed – a service your company uses. It’s addressed to you, you’re familiar with the service already, and it’s reporting an error of some kind related to a recent job posting. You made this posting yourself, so you’re naturally curious about the error, and you’re already familiar with everything else.

You click the link in the email and are presented with a login page, which then asks for basic additional information once you enter your username and password. After filling out all the forms, you’re directed to the Indeed website, and you’re still not logged in. Were you phished?

Yes, you were. But dealing with recruiting websites is simply part of the job for people working in HR, and they might not realize anything’s wrong until long after the fact. Most awareness training doesn’t cover third-party services and supply chain attacks, so tricks like the one in the Indeed example are almost always successful in the short term, especially if the victim reuses passwords.

Other, more generalized, phishing attacks are lazy, but they’re effective nevertheless. They’re the emails warning about missed shipments or mail delivery problems. They’re blasted out to thousands of people in a day, and maybe half-a-percent or less will fall for the scam.

If the criminals are consistent, that can add up to thousands of fresh victims a month. Given that password recycling is a constant problem, those victims can translate into hundreds of social media accounts and email accounts, which increases the criminal’s victim pool as now they can launch a new attack using a known contact as the originating source.

What can I do to protect myself?

Question everything and use two-factor authentication (2FA) whenever possible. Get an email from your boss asking for sensitive data? Call your boss and confirm. That Indeed example from earlier? Don’t follow the link in the email, go to the website manually, so you can ensure it’s the actual domain. Get an email from your bank that spooks you? Call a local branch and speak to an employee.

It might seem cold to question everything, and trust even less, but security is something everyone has to consider, and asking for confirmation is a good habit. In the business world, especially when sensitive documents or financial matters are concerned, confirmation could be seen as a value-add and proof that you take your responsibilities seriously.

Don’t email the sender for confirmation, call them or try and see them face to face (especially for business matters). Otherwise, you might just get a response from the criminal telling you everything’s okay.

Editor’s note: This article, originally published on August 7, 2018, has been updated to include new information on phishing kit features.