Try demo

Phishing kits are the new meth labs

Phishing kits give criminal minds new paths to break bad. Imagine a DIY meth lab kit but digital, less risky, and cheap; while still promising potentially big returns.

Phishing attacks are coming to a criminal near you. The trending rise of phishing kits—simple, cheap, downloadable templates for email attacks—mean more localized and targeted attacks will likely be sliding into your employees’ inboxes. It’s important you have the tools and phishing awareness training to meet these developing challenges.

Here’s what you need to know to avoid getting hacked.

What’s the threat

Phishing Kits are democratizing email scams and turning them into a cottage industry. The distribution and quality of phishing kit-enabled attacks are accelerating changes in the cybersecurity threat landscape.

Each industry has its own vulnerabilities and assets that need protecting. In finance, for instance, cybercriminals are essentially committing bank robberies with keyboards instead of guns; DarkSide ransomware, the gang behind the Colonial pipeline attack, has netted over $90 million in bitcoin. Over 2020, financial services surged 125% in exposure to email scams. After the launch of phishing kits in 2018, email attacks rose 48% in the financial industry, according to a report by the firm, ZeroFOX.

If those scams get smarter and people do not, breaches will increase.

Incredibly cheap and worryingly effective, phishing kits recently moved from the dark web and into the ready hands of aspiring cybercriminals anywhere. From free-of-charge to $100, phishing kits equip threat actors with the tools to create and deploy a sophisticated attack.

Are they cooking up phish in there?

How it works

With phishing, the goal is to entice the victim over email into an action. On the front end of a scam the employee of, say, a financial services company sees familiar logos and graphics of a spoofed site supporting a message crafted to create a sense of urgency or consequences if no action is taken. The phishing kit is the back end: it contains the more complicated computer coding, the transmission of stolen credentials to the attacker, and so on. In fact, credential harvesting is one of the major uses of PhishingKits.

Here’s a 5-step process for how it works, below.

 

Where they come from (spoiler alert: the internet)

It’s unbelievably easy to buy a phishing kit online. I found them immediately. There’s a consumer marketplace for them, right out in the open. Below, for instance, you can see a $60 price tag for an Office 365-style scam page; or you can spend $60 for a Sharepoint style scam page template. We at Hoxhunt see the largest cluster of scam campaigns around these Office 365 login pages. But let’s take, for example, the LinkedIn login page. Someone buys a kit that lets them clone the LinkedIn login page for credential theft after phishing you with a link in an email.

What they look like

With localization, the scammer can more easily gain the trust of the victim. If a phishing email is hooked to a trusted local company, and it’s written well, people will be more likely to trust the message. Here’s something we caught in Finland, where a threat actor spoofed Finland’s Nordea Bank login page with a phishing kit to steal credentials. These are nearly identical. But the site on the right is the fake.

Similarly, below is a credential harvesting site that spoofed skat.dk. On the left is the fake site, and on the right is the real site. All the way down to the style of fabrication, it’s almost identical.

What you can do

Security filters can only do so much. They’ll never stop every malicious email from slipping through the cracks into people’s inboxes. From there, it’s up to employees to spot and report those that do get through. It just takes one click on a malicious link for an entire company’s data to be breached.

It’s vital to nurture your people with phishing awareness training so they actually want to be part of the solution. Engage them with training that stays relevant and interesting. Ideally, it will be automated and constantly updated to evolve along with the threat landscape. Training your people to spot yesterday’s threats will not keep you safe from today’s attacks, and much less tomorrow’s.

Develop people’s cyber self-defense muscles by training them to replace an unsafe action with a good action. Clicking the report button is the best and most simple way to do that. Reward them for reporting suspicious emails. Whether they wind up being phish or legit emails, you the infosec professional will have more data to work with. Your unknown risk will be reduced.

And when one person removes one real threat from the system with a report, that means no one else will see it later. Every time they hit the report button, your people make your organization smarter and more secure.

And your people get to take that those new cyber self-defense skills home with them.