What You Need to Know About Phishing Kits
Written by Lindsay McKay
As much as we try to be safe online and practice cybersecurity protocols, it is getting harder and harder to not be a victim of a cyberattack. But what is to blame for this? Social engineering. Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data. A popular use of social engineering is phishing which has become increasingly more popular and easier with the use of phishing kits.
What Are Phishing Kits?
Any phishing attack seeks to trick recipients into divulging sensitive and personal information. These attacks include spear phishing, which targets specific companies or individuals; whaling, which targets high-profile business leaders; and vishing, which uses phone calls or voicemail to steal credentials and trick people into sending sensitive information. Usually, the challenge is for the bad actor to create emails and websites that appear authentic and convincing this is where a phishing kit comes in. Phishing kits are pre-packaged sets of files that contain all the code, graphics, and configuration files to be deployed to make a phishing page.
A typical phishing kit includes:
- Website development software or premade landing pages
- Email templates
- Sample malicious scripts or codes
- Automation software for malware distribution
- Victim profiling such as usernames, passwords, and MFA tokens
- Evasion mechanisms like HTML character encoding and blockers
Phishing kits are designed to be easy to deploy, reusable, and can be used without a lot of technical knowledge or skill as they normally come in a zip file that just needs to be unzipped to be used.
Types of Phishing Kits
Phishing kits can be simple or advanced, depending on the type. Simple kits include only a few components, while advanced kits include botnets and other evasion methods. The complexity and capabilities of the phishing kit influence the price of them varying from $100 – $300 per month, an extremely low cost for a cybercriminal serious about launching a phishing campaign.
The four typical phishing kits are as follows:
- Dynamic phishing kit: a specially designed phishing lure such as fake banking login pages and compromised emails and passwords
- Puppeteer phishing kit: specifically designed to phish for online banking credentials and are often used to bypass OTPs and security phone calls
- Commercial phishing kit: gives the buyer the ability to create a customized phishing kit where the buyer just needs to log in, purchase, configure, and download the phishing kits they like
Why Are They a Threat?
These phishing kits are a concern for a few reasons. Cybercriminals frequently post these phishing sites on a legitimate public cloud service like AWS (Amazon Web Services) or Azure which have authentic SSL certificates on legit domains and are taken down and replaced with a new page once they receive some login credentials making them difficult to spot. Secondly, it allows almost anyone to launch a phishing attack as long as they are willing to pay and have a computer, no need for programming skills or the time to design authentic components.
To start, watch out for some of the red flags in your email or other communications such as the email address is from an unusual source or from a suspicious domain; the email was also sent to lots of other people that you do not recognize; the email comes at an odd date or time of day; hover over any links and see if the link-to address matches what is shown to you and check for any spelling errors or awkward grammar. Next, look into completing some basic cybersecurity training courses to learn some of the best practices online such as CompTIA A+ training, security+ training, or network+ training.
If you want to read more about cybersecurity, check out TechnoEdge Learning’s blog. If you want to learn some history, I recommend starting with The Evolution of Cybersecurity: Part 1. Or, if you are looking for some new podcasts to listen to check out our list of top cybersecurity podcasts.
The information contained in this post is considered true and accurate as of the publication date. However, the accuracy of this information may be impacted by changes in circumstances that occur after the time of publication. TechnoEdge Learning assumes no liability for any error or omissions in the information contained in this post or any other post in our blog.