T2022_04 Phishing kits constantly evolve to evade security software (29th March 2022) 

What is Phishing?  

Phishing attacks occur when a person sends a fake message that appears to come from a trusted source. It is normally carried out via email. The purpose is to steal sensitive data such as credit cards and login information, or to infect the victim's computer with malware. 

What are Phishing kits?  

A phishing kit is a collection of materials and tools that cybercriminals can use to generate convincing phishing pages with minimum technical knowledge. Someone in need of a large-scale attack can also use a kit to quickly launch a phishing campaign. 

Modern phishing kits provided as off-the-shelf packages on cybercrime forums include several, sophisticated detection avoidance and traffic filtering systems to ensure that they are not flagged as a danger by internet security solutions. 

On the internet, fake websites that imitate well-known companies abound, luring consumers in and stealing their payment information or account credentials. 

Many of these websites are created with phishing kits, which include brand logos, realistic login pages, and, in the case of more advanced services, dynamic webpages created from a set of basic parts. 

Due to the automation that phishing kits provide, threat actors employ them widely. They often have to put up hundreds of bogus sites each day to replace those that were detected and blocked the day before. 

That isn't to say that the creators of these kits do not try to include anti-detection techniques to assist them stay up and running for extended periods of time. 

On the contrary, they are using a variety of techniques to keep their harmful nature disguised from sophisticated threat detectors. 

Types of Phishing kits  

There is a plethora of phishing kits on the market, with more being released every day. Most phishing kits, on the other hand, can be classified into a few different categories based on their functionality and intended targets. 

  • Basic Kit- A simple, short archive file containing a handful of basic HTML, JavaScript, and PHP files. Will save victim information to local log files for manual collection by the threat actor. 

  • Commercial Kit- Many of the more popular phishing kits have become commoditized, with writers licensing usage and creating online shops where buyers can log in, buy, configure, and download phishing kits. 

  • Dynamic Kit- These kits include custom code and logic that allows the victim to see dynamic information based on their input. This can take the form of displaying a bogus customer banking login page based on past information or displaying company logos based on their email address. 

  • Frameworks- These are apps (rather than archive files) that may be executed on demand on web servers to build and distribute phishing websites. Additional functionality such as reverse proxying, dynamically loading assets from third-party sites, and automatically importing new phishing page contributors are available depending on the framework. 

  • Puppeteer Kit- Designed specifically to phish for online banking credentials and allow for indirect, real-time interaction between the victim and the threat actor, allowing the threat actor to prompt the victim for information from their online banking provider. This is frequently employed to circumvent OTP prompts, security phone calls, and secret words. 

How phishing kits stay hidden 

There are obfuscation options, which are designed to keep internet security systems from detecting them. 

  • Caeser cipher- To make the information unintelligible, replace every character in the text with one that is a specified number of positions further down the alphabet. The shift is reversed when the page is loaded, and the right characters are displayed. 

  • Page source encoding- On the text or the HTML code of the page, use AES or base64 encoding, which is far more powerful than the Caesar technique. When the page is loaded, the material is decoded by the browser. 

  • Invisible HTML tags- Add a lot of trash HTML tags to the website that are not visible when the page is rendered in the browser and merely serve as harmless "noise" to mask the harmful elements. 

  • String slicing- Cut strings into re-arrangeable groups of characters and refer to them in a code table by their number. The strings are reassembled to completion when the page is loaded. 

  • Randomized HTML attributes- Adding a high number of randomized tag attribute values effectively disables anti-phishing programs by making their predictions inaccurate, causing them to be dismissed. 

Recommendations to Address Different Types of Phishing Kits 

  • Enable 2-factor authentication for all your organizational accounts. 

  • Utilize account permissions best practices such as role-based access control, least privilege, and restricting root/admin permissions. 

  • Avoid opening unsolicited attachments and never click suspicious links 

  • Do not share passwords, and do not reuse the same password on different websites and applications. 

  • If you are alerted or suspect a compromised account, change the password immediately. 

The Guyana National CIRT recommends that users and administrators review these recommendations and implement where necessary. 

PDF Download: Phishing kits constantly evolve to evade security software.pdf

References