Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Phishing Kits Hook Victims in Attacks

Fishing successfully in a lake requires patience. Phishing successfully in cyberspace however takes only a few dollars of investment.

Fishing successfully in a lake requires patience. Phishing successfully in cyberspace however takes only a few dollars of investment.

According to Symantec, scammers can buy phishing kits for between $2 and $10. These kits do not always require technical skill to use – with just basic knowledge of PHP, attackers can customize their phishing pages to meet their needs, blogged Symantec’s Roberto Sponchioni.

“Some of the kits that we observed were quite basic and only included two web pages,” he blogged. “However, others appeared to be more professional and convincing, with more than 25 PHP source files and 14 different language files that can be loaded based on the user’s location. Scammers can use some of the more professional kits to not only steal user names and passwords, but also personal data such as names, surnames, dates of birth, credit card numbers, CVV numbers, Social Security numbers, and much more. These phishing kits can be used to mimic the appearance of popular websites belonging to companies involved in cloud storage, banking, email, and more.”

The scammers sometimes attempt to compromise legitimate content management systems (CMS) or blogs in order to install the kit on servers, Sponchioni  explained. Attackers often build automated scripts to exploit vulnerabilities in order to compromise as many servers as possible, he noted. 

“If the scammer doesn’t know how to compromise a site, they could rent a bullet-proof server or use a free hosting space to host their phishing kit,” he added. “Once the scammer has set up the kit, they then need to install a Simple Mail Transfer Protocol (SMTP) mailer so that they can import a list of users’ emails and send the phishing messages in bulk.”

Recently, researchers with OpenDNS revealed that they detected multiple domains created to impersonate the PayPal website as part of an email phishing campaign. One of the primary websites (redirectly-paypal.com) was registered Jan. 25 through Wix.com. One of the fraudulent domains (security-paypal-center.com), which has been dormant since its expiration in 2005, was re-registered Jan. 22 through Wix.com as well, according to OpenDNS. In addition, the firm also found many other PayPal-related spoofing domains.

“Most of the phishing sites these days leverage a kit to generate the content,” Andrew Hay, senior security research lead with OpenDNS, said in a statement. “We have it on good authority, from our contacts at PayPal, that the kits being used in this case were quite sophisticated when compared to others that they have seen previously. This kit makes the creation of fraudulent sites a relatively easy endeavor, as opposed to direct copy and pasting of code from the legitimate website.”

“We identified five sites within a one week research window that shared a similar level of sophistication,” he added.

Advertisement. Scroll to continue reading.

Phishers don’t wait long to jump on current events either. Researchers at Symantec spotted attackers taking advantage of the recent news surrounding Intuit’s TurboTax. Last week, Intuit briefly suspended e-filing of state income tax returns through TurboTax in response to a spike in fraudulent tax returns.

“Scammers have been masquerading as TurboTax in an attempt to phish account credentials of TurboTax users,” blogged Symantec’s Satnam Narang. “The email begins with “Dear TurboTax User,” a common red flag that the email did not originate from TurboTax, as legitimate emails would address the user by their name. From there, the email gets straight to the point by asking the recipient to verify their identity to ensure uninterrupted service and prevent illegal activity. It provides instructions on how to do so, specifying that they need a modern browser with JavaScript enabled. The email contains an “attached form,” an HTML attachment that borrows source code and elements from the real TurboTax website.”

Sponchioni suggested server owners keep their server’s software and CMS up-to-date and recommended end users stay alert.

“Phishing kits are becoming easier to find and use, potentially encouraging would-be scammers to steal information from users,” he blogged. “Users should remain cautious of phishing attempts and ensure that they safeguard their personal data.”

 

 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.