Recent Posts

Recent Blog Posts

The PhishLabs Blog

Anatomy of a Phishing Attack: How Phish Kits Evolved in 2016

Posted by Lindsey Havens on Feb 23, '17

Phish Card.jpgAt this point, most organizations are already aware of phishing. No matter what industry you’re in, phishing is one of the top cyber threats you’ll face in 2017.

But for most people, the threat actors responsible for phishing attacks are something of a mystery. They picture a faceless, hooded specter, hidden somewhere in the dark recesses of the Internet.

Of course, nothing could be further from the truth. Whether you’re targeted by small-time script kiddies or serious organized crime groups, they’re just people.

And no matter how skilled they are, their phishing campaigns rely on the same set of tactics and techniques as every other cyber criminal out there.

To break down their mystique and help organizations all over the world defend themselves against phishing attacks, we spend a huge amount of time identifying, obtaining, and analyzing the latest threat actor tools. In this article, we’ll explain how these tools are developed, what they’re used for, and what we can all do to fight back.

Want to know more about the latest phishing trends? Next week we'll be holding a webinar to explain the findings of our recently published Phishing Trends & Intelligence Report. Register now to avoid disappointment.

Register for Webinar

Tools of the Trade

Before we look at how phish kits evolved in 2016, it’s important to understand exactly what we’re talking about.

You see, threat actors usually aren’t very original. With the exception of highly advanced groups (e.g. government agencies) they rarely develop their own tools, instead relying on prebuilt kits.

Quite simply, a phish kit is a group of files, typically contained in an archive file (e.g. a ZIP file), that can be used to create a fully fledged phishing site. From HTML/PHP page templates and autorun scripts to embedded images, these kits are very thorough and require almost no technical skill to use.

And of course, once a phishing site is setup, a threat actor can use it as the basis for phishing campaigns until such time as the site is identified and shut down.

During 2016, we collected and analyzed over 29,000 unique phish kits, helping us to develop an in-depth understanding of the techniques threat actors use to carry out their phishing campaigns. To see the full results of our analysis, plus a whole lot more about phishing trends and intelligence in 2016, download the latest PhishLabs PTI report.

Using a combination of artifact and behavioral analysis, we’re able to link individual kits to the phishing sites they have been used to create. From there, we identify the primary channels being used to distribute the kits, and ultimately disrupt the supply chain by taking down the distribution points.

Stealth Phish

Of course, threat actors know law enforcement agencies and security experts will attempt to disrupt their work. As a result, many have developed tactics and techniques for avoiding detection and unwanted access to their phishing sites.

Phish Pie.pngTypically these access controls come in the form of HTACCESS files or PHP blacklists, and disallow access based on IP address, user agent string, or HTTP referrer. In rare cases we have also identified phish kits that use access whitelists, which only allow visitors to access the site if they meet certain criteria such as geographic location. Either way, the aim is clear: threat actors only want potential victims to access their phishing sites.

As we’ve already mentioned, we analyzed a lot of phish kits in 2016, and more than one in five (22 percent) included some form of access control mechanism. Of those, 42 percent blocked unwanted visitors using HTACCESS files, and 17 percent used PHP blocklists. A further 41 percent included both HTACCESS files and PHP blocklists, providing comprehensive control of unwanted visitors.

And threat actors don’t stop at limiting site access.

One of the primary ways security professionals can fight back against phishing is to proactively blacklist known phishing sites. That way, even if a user does fall for a phishing email, if the phishing site being used has already been identified and blacklisted, the attack will be unsuccessful.

But of course, threat actors know this. True, they can always setup new phishing sites, but that takes time and effort. Instead, they’d much rather keep each new site up for as long as possible.

To that end, some phishers use techniques to dynamically alter the URL of their sites for each visitor, in an attempt to reduce the effectiveness of browser-based blocking. From our analysis of phish kits in 2016, we’ve identified two primary techniques being used for this purpose: directory generation and randomized URL parameters.

Directory generation is what we might consider to be the ‘blunt force’ approach to dynamic URLs. Each time a new victim visits the site, a new directory is generated on the server, and all the components that make up the phishing site are copied into it. As a result, the URL will be different for each individual visitor, though the root path to the phish kit itself will remain unchanged. Of the kits we analyzed in 2016, 15 percent used this technique.

Phish Kit PHP.jpgAbove is an example of a simple PHP script designed to dynamically generate a new directory for each visitor.

A further 14 percent of kits made use of randomized parameters, which were appended to the end of a phishing page’s URL when a new visitor arrived. Just like with directory generation, this makes the URL unique to each visitor. Unlike directory generation, however, this technique does not require files to be copied or created on the server.

One Phish to Rule Them All

Threat actors are not all made equal. Some are highly skilled, experienced, and resourceful, and others are… not so much.

As a result, the phishing ecosystem relies heavily on the small number of threat actors who possess the skills necessary to develop phish kits. And just like legitimate software industries, kit authors look to make a profit from their creations by distributing them to less sophisticated threat actors.

There are two primary ways for kit authors to make money. The first is obvious: they sell their creations via dark web markets, IRC channels, and private communications.

Most kits are sold for between $1 - $50 USD, depending on their complexity. Others are packaged with advanced features such as campaign tracking, and can be sold for hundreds of dollars each.

But many would-be phishers aren’t interested in spending money. As a result, there has been a huge increase in phishing kits being freely distributed by underground forums, file sharing sites, and even social media.

Now on the face of it, that might not seem like a sensible business model. After all, why take the time to develop a phish kit from scratch, only to give it away?

This is where things start to get interesting. Instead of charging for the kits themselves, phish kit authors often insert ‘backdoors’ into their code. Now, when another threat actor uses that kit, all compromised data obtained through that actor’s phishing campaigns is also forwarded to the kit author. These backdoors are generally overlooked by their unsophisticated users, enabling kit authors to profit indirectly by selling on all of the personal and financial information collected by each of the kit’s users.

So whether directly or indirectly, phish kit authors have identified ways to make money from their expertise without ever having to conduct their own phishing campaigns. And since only a tiny proportion of threat actors possess the knowledge and skills necessary to produce these types of tools, it seems likely that these trends will continue for the foreseeable future.

Learning from Data

So now you know how phishing campaigns actually work, what can you do differently? After all, there’s limited value to understanding your enemy unless you can identify a way to use the information.

In this case, there are two primary takeaways.

First, having this deeper understanding of phish kits can dramatically enhance your ability to block phishing campaigns using technical controls. If a significant proportion of phish kits include facilities designed to circumvent browser-based blocking (which they do), this suggests that alternative blocking methods should be employed.

As we’ve already pointed out, whether a kit uses directory generation or randomized URL parameters to dynamically alter URLs, the kit’s root path remains unchanged, as does the IP of the server itself. This opens up a number of alternative blacklisting options, which most phish kits are far less able to cope with.

The second takeaway is something we talk about all the time. The trends we’ve identified in phish kits over the past several years point to one unavoidable truth: threat actors and their tools will continue to evolve as security standards improve. No matter how good your technical controls are, some phish kits will circumvent them.

And that leaves just one course of action: powerful security awareness training.

By teaching your users how to identify and report phishing emails on site, you’ll be turning your organization’s greatest weakness (people) into its greatest strength. To find out how to make this transition, check out this post or get in touch today.

Topics: Phishing, Phish Kit, PTI Report

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all