Over the years, phishing campaigns have become much easier to operate, thanks to the evolving cybercriminal marketplace. Today, attackers work together to build phishing kits and sell them to other scammers who want to quickly launch information-stealing campaigns.
Scammers can buy these kits for between US$2 to $10, though they have also been observed stealing them. They don’t have to have a lot of technical skills to use these kits—with just a little knowledge of PHP, they can customize their phishing pages to suit their needs. The scammers can then use the stolen data for their own purposes or sell it on underground marketplaces.
We decided to look into the current phishing economy to see how attackers use these kits for their campaigns. Some of the kits that we observed were quite basic and only included two web pages. However, others appeared to be more professional and convincing, with more than 25 PHP source files and 14 different language files that can be loaded based on the user’s location.
Figure 1. A complex phishing kit with PHP files in different languages
Scammers can use some of the more professional kits to not only steal user names and passwords, but also personal data such as names, surnames, dates of birth, credit card numbers, CVV numbers, Social Security numbers, and much more. These phishing kits can be used to mimic the appearance of popular websites belonging to companies involved in cloud storage, banking, email, and more.
How scammers set up their phishing kits
When a scammer has bought a phishing kit, they first need to install it on a remote server. They can do this in a number of ways:
- The scammer could attempt to compromise legitimate content management systems or blogs in order to install the kit on clean servers. They could do this by exploiting vulnerabilities, such as SQL injection bugs or remote code execution flaws, in these sites. Attackers often build automated scripts to exploit vulnerabilities in order to compromise as many servers as possible. In some of the observed compromised servers, we found that the attackers used cPanel brute-force scripts, phpBB/Joomla brute-forcers, and exploits to automatically find vulnerable sites.
- If the scammer doesn’t know how to compromise a site, they could rent a bullet-proof server or use a free hosting space to host their phishing kit.
Once the scammer has set up the kit, they then need to install a Simple Mail Transfer Protocol (SMTP) mailer so that they can import a list of users’ emails and send the phishing messages in bulk.
Figure 2. SMTP mailer used to distribute phishing messages
We have also seen how attackers are trying to implement techniques to block unwanted access to their phishing kits, as they may want to prevent Google, Yahoo, or security company bots from finding them. Some of the techniques include:
- .htaccess files with a list of blocked IP addresses related to bots from search engines and security companies
- robots.txt files that are used to prevent search engine or security company bots from accessing specific remote directories
- PHP scripts that dynamically check if the remote IP address is allowed to access the phishing pages. These scripts are often included as part of the phishing kit.
How the kits steal data
According to the phishing kits’ source code, all of the stolen information is sent back to the scammers’ remote location through email or File Transfer Protocol (FTP) connection, or may be directly stored on a text file located on the compromised server. If the user inputs their personal data on a phishing page, they then typically get redirected to the original site. To further discourage user suspicion, the phishing kit may automatically log the user in to the legitimate site using the user name and password that the victim submitted on the phishing page.
Figure 3. Phishing kits can automatically log users in order to avoid suspicion
Who are behind these scams?
According to our analysis, the majority of the 800 websites that were compromised to host phishing kits are in the US. Other regions with sites hosting these kits include Canada, India, Ukraine, and Germany.
Figure 4. Top ten regions hosting phishing kits
Phishing kits are more easily accessible compared to malware kits, as scammers don’t necessarily need to lurk on underground forums to find them. As a result, many phishing kit operators may not have the knowledge or technical skills needed to cover their tracks.
Some of the email addresses that we identified in the phishing kits are also being used by the attackers in their day-to-day activity on social networks or on online forums. We identified one particular attacker, aged between 22 and 25, who was boasting about his successful campaigns on social networks. He posted pictures, showing that he gained access to his phishing victims’ online payment accounts and transferred their money to his own account.
Phishing kits are becoming easier to find and use, potentially encouraging would-be scammers to steal information from users. Users should remain cautious of phishing attempts and ensure that they safeguard their personal data.
Symantec recommends the following basic security guidelines to end users:
- Exercise caution when clicking on enticing links sent through emails or posted on social networks. If something looks too good to be true, then it likely is.
- Check for bad grammar or spelling errors in received emails. This could be a sign that the email is a phishing message.
- Avoid clicking on links in unsolicited, unexpected, or suspicious emails.
- Check the message’s email header for “X-PHP-Originating-Script” to see if the email was sent by an automated script.
- Keep security software and web browsers up to date, as the latest updates may detect the phishing messages as malicious.
Server owners should adhere to the following advice to protect devices and sites under their control:
- Keep your server’s software and CMS up to date to reduce the possibility of being compromised.
- Review your access and error logs often to detect suspicious activity.
- Implement a log to identify scripts that are using email services in order to find out how many emails are being sent from your server and which script is performing this activity.