Security Experts:

Analysis of 3,200 Phishing Kits Sheds Light on Attacker Tools and Techniques

Phishing kits are used extensively by cybercriminals to increase the efficiency of stealing user credentials. The basic kit comprises an accurate clone of the target medium's login-in page (Gmail, Facebook, Office 365, targeted banks, etc), and a pre-written php script to steal the credentials -- both bundled and distributed as a zip file. Successfully phished credentials are mailed by the script to the phisher, or gathered in a text file for later collection. This is commodity phishing; not spear-phishing.

A legitimate website, often a Wordpress site with old and vulnerable add-ons, is compromised. An orphaned page with no internal links is created, and the kit uploaded and unzipped. It is largely unknown to the site's administrator and invisible to external search engines; and is ready to use. The criminal merely has to send out his phishing emails pointing to the spoofed login on the compromised website.

Duo Security R&D engineer Jordan Wright found and analyzed a single phishing kit; and decided to investigate the extent of their use. The results were published this week in a new report (PDF).

Wright used two different community-driven phishing URL feeds to locate them: PhishTank run by OpenDNS, and OpenPhish.

"We polled these feeds repeatedly over a month to get new suspect phishing URLs to analyze," Wright told SecurityWeek. "We collected about 66,000."
The purpose was to try to grab any related phishing kit by visiting the URL and accessing the folder's index page. Where this was possible, it would expose any original phishing kit zip file that could be downloaded. This gave the Duo researchers access to any complete bundle left behind by lazy attackers, including the php script file used to steal and forward the credentials. Over the course of the month, Duo gathered 3,200 unique phishing kits for analysis.

One of the first things discovered was widespread use of persistence techniques. A common method on compromised WordPress sites is the inclusion of an htaccess directory configuration file within the phishing kit, that blocked access to the phishing folder from threat intelligence services. One example blocks more than 220 specified domains (including major endpoint protection firms, law enforcement agencies, and individual IP addresses). "Comparison of the different htaccess files," said Wright, "showed that there is definite information sharing between the kit developers."

The same functionality was sometimes provided by php scripts included in the kit -- but Duo detected more than 200 instances of the kit developers' own backdoors buried within the code. It is a simple call to the system function. "It takes whatever you give it as a parameter and executes it as a system command," explained Wright. "This lets anyone gain access to the host, leaving it wide open for future attack." It gives the original kit developer future access to the host without having to go through the process of compromising it himself. In a similar vein, some of the scripts contained obfuscated code to quietly send the stolen credentials to the developer as well as the phisher.

By hashing the collected phishing kits, Duo was able to examine the extent of kit reuse. In the month-long investigation, it found that the majority of kits were only used once -- but 27% (more than 900 kits) were seen on more than one host. Two were found on more than thirty hosts, indicating very active attackers. "We expect," said Wright, "that as we continue this study, we shall see more instances of reuse."

The email addresses of the individual kit users were extracted and correlated to show which phishers were connected with which campaigns and which phishing kits. Duo found that the kit developer would often use the 'From' header as a 'brand' signing card, tying multiple different kits to the same author. One in particular called himself 'wirez[@]googledocs[.]org'. This branding was found in more than 115 unique phishing kits spoofing multiple service providers. 
While information sharing in the cybercriminal world is well-known, this is the first evidence of the extent to which phishing kits and phishing information are also shared. 
"A next step from this study, and something we are trying to establish," Wright told SecurityWeek, "is a funnel to send the discovered email addresses of the phishers to the relevant authorities -- both email providers and law enforcement. If we can get that email address shut down as soon as we find it, any credentials harvested by the phishing kit will not be sent to the phisher -- and that's a net gain for the defenders." It neutralizes the phishing kit without having to go through the process of shutting down the compromised website -- which may otherwise be perfectly legitimate.

But that's not the only practical value from this study. "Kits can be used all day," explained Wright, "but if we can't find them, that knowledge doesn't give us much value. We're trying to shine a light on what is happening in the phishing world: here's how it works, here's what it looks like. Another part of that is, here's what you can do about it. We're open-sourcing all the code we wrote to do this research, and we're putting it up on GitHub. Organizations can download it and try to replicate the results for their own organization. They can adapt this code to say, I only want to look at these phishing URLs that I know are hitting my organization and are hitting my users. Then I can try to go out and find the phishing kit -- because whenever I'm doing incident response, knowledge is everything. 

"I'll be able to say, I know this information was collected," he continued, "and from there it was emailed to that attacker. I've already been in touch with Gmail or Yahoo to get that address taken down -- well, that's huge. If I have that kind of knowledge and I have that kind of insight into what happened, I can take effective action in my incident response cleanup activities."

The reality, however, is that this level of information could also lead to some organizations taking matters into their own hands with 'active defense'. If a particular phishing kit attacking a particular organization is discovered, and found to include the system call backdoor in the php script code, then that organization could enter the host and remove the danger. "A risk with any kind of hacking back is it's so easy to cause collateral damage," warned Wright; "and that's what you have to be so careful about. This study is about how you can help protect your organization -- it's not about hacking back." Which is, of course. illegal -- for now at least.

Duo Security raised $70 million in a Series D funding round led by Meritech Capital Partners and Lead Edge Capital in October 2017.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.