Most phishing sites are quickly detected and access to them is blocked, but not matter how fast the “takedown” happens, the number of victims is still large enough to make the phishers’ effort worthwhile.
That’s because the required effort is often minimal: access to compromised sites can be relatively cheaply bought (or phished), access to email accounts used to send out phishing mail is easy (new or compromised through phishing), and phishing kits are pretty easy to create and, generally, shared or sold at a bargain.
“To stand up a new phishing site, attackers first clone the legitimate site they want to spoof, then change the login form to point to a simple PHP script. The script collects credentials and either emails them to the attacker or logs them to a text file,” Jordan Wright, R&D Engineer at Duo Security, explains.
“Once the contents of the phishing site are created, they are bundled into a .zip file for reuse across multiple servers and phishing campaigns.”
These phishing kits are, in this form, easy to upload to a hacked site, where the files are unzipped into a directory. With the phishing page ready, the attackers can start sending out phishing emails pointing to it.
Analyzing phishing kits
Wright and his colleagues set out to analyze phishing kits left behind by lazy phishers on compromised websites/servers, so they trawled through sites hosting phishing URLs that have been submitted to Phishtank and OpenPhish.
After a month, they found 3,200 unique ones, and their analysis revealed that there is some kit reuse, even though it’s not as extensive as expected given that the whole point of phishing kits is to make it easy for attackers to reuse code across phishing sites.
They also found that only 11 percent of the compromised sites hosted multiple unique phishing kits, which means that either the same actor ran multiple campaigns simultaneously, or that multiple actors have compromised the same host.
The latter possibility should not come as a surprise, as many of the phishing kits they analyzed came with (hidden) backdoors.
“While we can’t attribute these particular kits we studied to a marketplace, there have been other smaller studies that indicate phishing kits can be bought for as little as $2 – $10,” Wright told Help Net Security.
Regardless of how these kits are obtained – be it sold, given away, or traded – attackers are obviously using them as an opportunity to reap the benefits of a compromised host without doing any of the work, he noted.
“The most common backdoor we came across when searching through our data set was access to the host. However, there have been reports of backdoors that use heavily obfuscated code to send harvested credentials to a separate attacker’s email address. These are harder to detect at scale since this obfuscation can vary across kits and would require more close analysis, which we consider a good next step for future work.”
Who’s creating and who’s using these kits?
The analyzed phishing kits are made to emulate most popular service providers, including email providers, social networks, financial services, and more.
“The surprising finding to us wasn’t that these service providers are being used, but rather that we could see clear ties between the email addresses for particular actors and multiple phishing kits spoofing different services. So you may have an actor who can be seen as connected to both a phishing kit spoofing an email provider as well as a phishing kit spoofing a social network,” Wright says.
He also pointed out that one of the most useful things we can learn from analyzing phishing kits is where credentials are being sent.
“By tracking email addresses found in phishing kits, we can correlate actors to specific campaigns and even specific kits. Not only can we see where credentials are sent, but we also see where credentials claim to be sent from. Creators of phishing kits commonly use the ‘From’ header like a signing card, letting us find multiple kits created by the same author.”
The rise of HTTPS phishing pages
Three of the top 10 paths in the researchers’ dataset indicate that phishing sites are hosted on compromised WordPress instances, but other sites using other content management systems are also targeted:
“Attackers looking to compromise unpatched, out-of-date systems frequently target widely-used content management systems. This is why it’s critical to keep such software up-to-date,” the researchers noted.
Another interesting finding is that over 16% of the recorded samples were served over HTTPS.
“This doesn’t indicate anything wrong with HTTPS, but security professionals will now need to adjust their recommendations for spotting phishing sites and reconsider how much trust is placed on the ‘secure’ indicator in the browser,” they noted.
Finally, many of the analyzed phishing kits come with a .htaccess file that blocks connections based on HTTP request attributes, and on the list of blocked IP ranges are those belonging to threat intelligence services like Abuse.ch, Phishtank, and Netcraft. The goal, of course, is to keep the phishing URLs working as long as possible.