Phishing attacks now come in a kit.
That’s right – Akamai Technologies recently reported on “factories” that build phishing kits. The kits are “developed, sold, and then updated as needed,” Principal Lead Security Researcher Or Katz wrote recently on an Akamai blog.
A kit includes a “near-perfect” representation of a brand’s website. If the brand updates its website, then the kit must be updated too – or it goes into a “collection” where buyers must individually update the site templates.
Phishing kit factories employ developers who build the kits, templates – plus evasion techniques. The “factories” also employ sales teams to market the kits as well as sell other services, such as hosting, email scripts, and target lists.
“Get your phishing templates for … Amazon, e-Trade, Facebook, Gmail …” says an ad posted as an example. One nice thing about this, writes Katz, is that there are scammers who will rip off other scammers, passing off the other crooks’ kits as their own. (Hacker karma, perhaps – but reviews on the Dark Web give low ratings for the pirated versions, Katz writes.)
There’s even a kit brand – Chalbhai – that’s been a top seller, apparently.
“Chalbhai phishing kits have been observed targeting several major brands, including Charles Schwab, Bank of America, Chase, Wells Fargo, LinkedIn, Comcast, Yahoo, Microsoft, and Adobe,” writes Katz.
While Katz didn’t discuss the MSRP of a kit, GlobalSign said last November said most were running about $20 to $50 per kit, and allowed even technology neophytes to “capture basic details about victims, such as generic passwords or other simple information that can then be used to mount a more sophisticated attack.”
While you may be sick of the anti-phishing lectures, the rise of the kits threatens the integrity of your brand’s website, Akamai says.
“The growing industrial nature of phishing kit development and sales, where new kits are developed and released within hours, and the clear split between creators and users, means this threat isn’t going anywhere any time soon,” Katz added. “The threat posed by phishing factories isn’t just focused on the victims who risk having valuable accounts compromised and their personal information sold to criminals. These factories are also a threat to brands and their stakeholders.”