Over the years, phishing -- the practice of sending fraudulent emails, files and links to trick users into handing over account logins, sensitive information or install malware on their systems -- has evolved. Phishing campaigns are no longer limited to emails from your 'long lost Uncle' in Africa or your bank instructing you to change your account information; instead, we are now beset with legitimate-looking emails sent not only from cold addresses, but sometimes your own contacts if their accounts are compromised.
The arrival of malware kits and templates on the black market has not only pushed these scams forward, but also their design and development -- as cybercriminals can work together to make phishing campaigns easier to operate.
These kits can be purchased for between $2 and $10, although Symantec observed some hackers simply stealing them. There is also little technical knowledge or skill required to operate the most simple kits -- a little PHP knowledge and they are able to customize phishing campaigns and send them off in new campaigns. If successful, data stolen during a campaign can be used by a cybercriminal themselves or sold on the black market.
Symantec notes that some phishing kits were very basic, containing nothing more than two web pages. However, the premium designs looked far more professional and convincing, with over 25 PHP-based source files and 14 different language file sets included.
The professional kits are not only used to steal usernames and passwords, but "personal data such as names, surnames, dates of birth, credit card numbers, CVV numbers, Social Security numbers, and much more," according to the security firm. The phishing kits also mimic corporations involved in cloud storage, banking, email and other industries.
Anonymous targets ISIS social media, recruitment drives in #OpISIS campaign
Once a kit has been purchased, the first thing a criminal needs to do is install it on a remote server, whether by compromising legitimate content management systems or blogs via exploits including SQL injection bugs, or they can rent a server or use free hosting space. When a kit has been set up, they install a Simple Mail Transfer Protocol (SMTP) mailer so recipient lists can be emailed in bulk.
In addition, to prevent unwanted access to their phishing kits and discovery, attackers use a number of techniques to hide their activities including .htaccess files with a list of blocked IP addresses related to bots from search engines and security companies and PHP scripts which check to see if remote IP addresses are permitted to access the phishing pages -- scripts which are often included in the kits.
Symantec says that most of 800 phishing kits examined are hosted in the United States, but are also present in Canada, India, Ukraine, and Germany.
The security firm recommends that you keep an eye out for suspicious emails, and if it looks to good to be true -- for example, a congratulatory note telling you you've won the Spanish lottery -- it likely is. In addition, bad grammar and spelling errors can indicate a phishing message. If you see 'X-PHP-Originating-Script' in an email's header, the message was sent via an automated script and should be avoided.
Naturally, keeping security software up-to-date will assist in phishing email alerts, and may catch malware before damage is done to your system.