Researchers at Group-IB, a Singapore-based cybersecurity company, have found out that amid the rising concerns of restructuring and reuse of previously known malware families, phishing kits have become a popular choice for spreading them. Phishing kits have now gained the “Bestseller” tag in the underground market, with the number of ads and their sellers having doubled in 2019 as compared to2018. The growing demand for phishing kits is also reflected in its price that skyrocketed last year by 149% and exceeded $300 per item.
What’s in it for the Attacker and the Defender?
Phishing kits represent archive files with a set of scripts that ensure the work of a phishing website. This toolset enables attackers with modest programming skills to execute small to high volume malicious campaigns. This interests the attention of cybersecurity researchers. The detection of a phishing kit not only helps to discover hundreds or even thousands of phishing pages but also serves as a starting point of a cyber forensic investigation to identify and track down the operators and eventually the creators of the phishing kit.
We must seek to prevent the further spread of ‘disease’ and fight not against its symptoms – phishing pages, but against its causative agent – phishing kit makers.
– Dmitry Volkov
(Group-IB CTO and Head of Threat Hunting Intelligence team)
To collect data, phishing kits normally have a designated email address, to which the illegally exfiltrated data is sent. The number of unique email addresses detected in 2019 has seen an 8% growth over the previous year. The increased number of unique email addresses in phishing kits is another notable trend that suggests phishing kits’ expansion in the underground market and the rising number of their operators.
Other Findings related to Phishing Kits
Group-IB’s Threat Hunting Intelligence team has done extensive research of various underground forums and have found that:
- Over 16,200unique phishing kits were detected in 2019.
- Only 113,460 out of 7 million phishing pages detected contained a phishing kit, pointing out that hackers have now grown more cautious in their malicious activities.
- The number of phishing kit sellers active on underground forums has increased by over 120%in 2019 Y-O-Y.
- Relatively an equivalent growth percentage (%) has been seen in the number of online phishing kit ads posted on the dark web.
- Amazon, Google, Instagram, Office 365, and PayPal were the most found brands in the 2019 phishing kits.
- Top 3 “online markets” for trafficking in phishing kits last year were Exploit, OGUsers, and Crimenetwork.
- In 2019, the average price of a phishing kit more than doubled compared to the year before and totaled $304, with the prices generally ranging between $20and $880.
- In comparison, the prices for a phishing kit varied between $10and $824, while the average price stood at $122 in 2018.
The researchers said the most remarkable gesture though was that some of the phishing kits were offered for free. This isn’t human generosity, but a possibility of backdoors hidden in these freebies, which would enable their creators unrestricted future access to all the exfiltrated data.
Group-IB CTO and Head of Threat Hunting Intelligence team Dmitry Volkov, said, “Phishing kit creators are the driving force of this criminal marketplace – one individual might be behind the creation of hundreds of phishing pages and, even worse, behind the compromise of the personal information of thousands of people. Therefore, the fight against phishing kit creators should be at the core of the struggle to eradicate phishing. In its practice, our team had several investigations that resulted in the deanonymization of phishing kit creators. By sharing such info with relevant law enforcers and ensuring the apprehension of cybercrooks, we seek to prevent the further spread of ‘disease’ and fight not against its symptoms – phishing pages, but against its causative agent – phishing kit makers.”