Security news that informs and inspires

Phishing Kit Developers Operate Like Regular Software Shops


It’s not surprising that criminal groups look at the business world for lessons in how to streamline operations and make money. Even the murky world of phishing websites contain elements have adopted best practices from commercial operations to maximize distribution and boost efficiency.

“The phishing economy is — in all the ways that count — no different than the larger (and legal) economy you're familiar with,” said Or Katz, a principal lead security researcher at Akamai. Katz analyzed the thousands and thousands of phishing pages caught by Akamai to understand the elements that make phishing attacks efficient and effective.

The phishing economy relies heavily on kits that make it easy to spin up new sites that are “near-perfect representations” of the website belonging to the brand being cloned in the attack. These kits also provide tools to handle the back-end tasks, including distribution and data collection. When the brand changes something on the website—a layout change, a logo swap, or even some kind of a promotional element—the kit developers have to quickly update the kits and deploy to the campaign operators. If the phishing site doesn’t look right, the campaign’s success rate drops significantly, Katz said.

Some of these kits use “factory-like production cycle to target dozens of brands,” Katz said. One of the kits he analyzed was advertised as being capable of imitating some of the world’s most recognizable brands, including Gmail, Amazon, Facebook, YouTube, GoDaddy, PayPal and Skype.

The longer a feature is missing from the kit or the template is out of date, the bigger the impact on the campaign operator's revenue stream. Software companies know that rapid development and shorter release cycles is an important part of keeping their enterprise customers happy. Phishing kit developers face the same pressure from their customers, too.

The "Factory"

There is a split between the users and creators in the phishing economy—the phishing operators are the users and the consumers, in this scenario, while developers are the creators developing and releasing new phishing kits. A “phishing factory” consists of the developers who create the kits and templates, and the sales team who promote the kits and related services such as hosting email scripts and generating lists of victims. The consumers in this economy are those who buy the kits and use them to set up the attacks.

Just like every other commercial operation, developers and consumers alike have to beware of the scammers (also known as “rippers), who create and resell counterfeit kits.

With the phishing factory, there are two types of victims: the individuals whose accounts are compromised and their information (or the organization’s information) are stolen for other nefarious purposes, and the brands the attackers copied for the attack. For example, Akamai found phishing campaigns using the Chalbhai kit on more than 1,700 domains—and a single domain can host dozens of unique URLs—since last December. Chalbhai targeted brands such as Charles Schwab, Bank of America, Chase, Wells Fargo, LinkedIn, Comcast, Yahoo, Microsoft, and Adobe.

“The threat posed by phishing factories isn’t just focused on the victims who risk having valuable accounts compromised and their personal information sold to criminals,” Katz writes. “These factories are also a threat to brands and their stakeholders.”

Turns out phishing factories also like software licenses and registration schemes, too. The developer behind 16Shop, a well-known customizable multi-language kit primarily targeting Apple users, controls access to the kit through a registration and licensing system. The developer can revoke the key for phishing operators who use the kit and shut down that operator’s campaign. Chalbhai also has a licensing scheme, as well.

Evading Detection as a Feature

Phishing campaigns, by design, have a very short attack cycle. As soon as security tools recognize a URL (or domain) as being malicious, those sites get blocked. Emails with those links don’t reach inboxes, and browsers don’t let users reach those sites. Phishing kit developers have to regularly and quickly update their tools with new tools and evasive technique so that the customers can keep their attacks going.

Randomization generators are commonly used to help kits avoid detection by security tools, Katz said. Generators create URLs for a phishing campaign so that even if one URL gets blacklisted, the other URLs are still functioning. Randomizing sub-domains or appending random values to the URL string also make it harder for security tools as well as victims to verify the legitimacy of the websites by looking at the website’s address.

Other generators create random HTML source code for the website, so that the pages look the same to the victim despite having completely different source codes. Another variation is to replace ASCII text values with combination of ASCII and HTML encoding. These tactics confuse signature-based detection tools as it would be impossible to predict every possible combination.

“When the victim loads the page for the first time, the odds are in the criminal’s favor that there are no pre-existing signatures on record for the page,” Katz said.

Phishing is a numbers game—and the longer a kit remains hidden and active, the longer the attack can run and net more victims. While people can be taught to be skeptical and careful about what to click and what web forms to fill out online, the only way to stop phishing permanently is to detect and decrease the lifespan of these phishing kits, Katz said.

“As the borders between defensive vs. offensive techniques blur—now that both sides are using them—security practitioners are obligated to make sure we are familiar with the threat inside-out,” Katz said.