An Analysis Of Recently Caught Phishing Kits – Research From NortonLifeLock
Phishing is big business. The industry includes a variety of criminal players doing specialised work to steal and sell your information. Our research shows why phishing campaigns are so pervasive, how phishers are using phishing kits, and how valid HTTPS certificates are used to dupe people around the world.
We analysed more than 1,500 unique URLs used to host phishing kits that formed part of our analysis. We found that 85% of phishing websites used a certificate. A valid certificate is visible to end users using a padlock in the browser bar, typically green. This padlock indicates that the traffic to and from the website is encrypted, but it provides a false sense of security to end users. It only means that the connection is secure—it does not indicate whether the site itself is secure.
Simply put, a green padlock only ensures that no one else can spy on and steal the data you enter, but it can still be stolen if the site is malicious.
What phishing kits are
A phishing kit is the web component to a phishing attack. Some phishing kits are closely held by their creators, while others are offered as part of the cybercrime-as-a-service economy.
The term cybercrime-as-a-service refers to an organized business model in the cybercriminal ecosystem to provide products and services to anyone willing to purchase them. Here the threat actors often provide access to already hacked web servers, or a list of recipient emails the buyer can use as part of the phishing attack.
Phishing kits are easy to use, and they allow anyone with minimal technical skills to become successful phishers. Before involving any victims, the phisher creates a website with a look and feel of the legitimate website they are trying to spoof, making it difficult for an average user to distinguish between the real site and the fake one. The easiest way to achieve this is by using a phishing kit.
After configuring and uploading the phishing kit to a web server either compromised or owned by the phisher, a phishing email is sent to victims, leveraging social engineering to lure the user to click on a link to the spoofed website.
If the victim is fooled, they visit the website and enter sensitive information such as account credentials or other personal identifiable information. The phishing website transmits the information back to the phisher, typically via email. However, some phishing kits exist where the information is transmitted via messaging services like Telegram, or simply stored in a text file on the server.
The phisher is now in possession of the victim’s information and will attempt to use it for monetary gain, either directly by using the credentials on legitimate websites and identity theft, or by selling it on marketplaces.
For more information about phishing kits, visit https://www.nortonlifelock.com/blogs/norton-labs/phishing-kits