As I mentioned in my previous blog post, phishing attacks are now being created and executed on an industrial scale. Malicious actors are increasingly using highly sophisticated off-the-shelf phishing kits that allow them to deliver very targeted, short-lived attacks. These campaigns direct victims to a phishing web page that's an exact copy of a consumer or enterprise brand's site. This has lowered the barrier to entry for launching phishing attacks.
When I first started to understand phishing kits, one of the biggest surprises for me was just how advanced the kits have become and how mature the ecosystem is for the development, distribution, and support of these kits.
In a nutshell, a phishing kit is an all-in-one software package that makes it easy for anyone to launch a phishing attack, even if they are not software experts. In the past, an attacker had to clone the target site. Now, the kits have evolved to include an exact copy of the target's website, so launching an attack is even easier.
These kits are continuously enhanced by the software authors -- and just like any other service, new features are added all the time. They range in price; some kits are free while others can cost up to $300. So, quite affordable.
The attack flow is straightforward. After buying the kit, an attacker simply must rent a compromised web server or use a hosting provider, upload and configure the kit, and then send phishing emails -- or drive victims to the malicious page using other methods, such as social media or messaging apps. As soon as victims enter their credentials, the pilfered information is available to the attacker to sell or to use in further attacks.
Akamai's enterprise threat research team has spent significant time tracking and analyzing phishing toolkits over the past few months.
One of the most sophisticated kits the research team has analyzed is the 16Shop phishing kit. It focuses primarily on delivering attacks that leverage the Apple brand, but has also been used to launch attacks against customers of over 100 leading banks.
The kit has layered defenses as well as attack mechanisms, all constructed neatly within hundreds of files. It's a true multi-level kit, that executes different stages for different brands, all based on the information the victim provides.
It also has the ability to automatically change the phishing page layout and presentation depending on the victim's device. Mobile users will see a website tailored to their device, while desktop users see something better suited to their situation.
Another customization in 16Shop is language. Currently, the kit supports 10 languages: English, Japanese, Chinese, French, Spanish, Malay, Latin, German, Thai, and Dutch.
The kit has a sophisticated licensing system that is API driven and validates that the kit is licensed. 16Shop also has code protections that prevent it from being ripped (copied by other criminals). If copies are made, the entire kit will cease to function as the license validation fails.
In addition to a licensing system, 16Shop has a number of built-in evasion techniques which help it avoid detection by automated scans (bots) and direct access. The kit also uses a whitelist mechanism and a blacklist mechanism, allowing the person who purchased the kit to limit access to specific IP ranges if they so choose.
And, in a great example of "there's no honor amongst thieves," Akamai security researchers found a backdoor in the kit, where data is siphoned off to a Telegram bot via an API. This means that a victim's personal data is stolen twice -- once by the attacker and again by the software author.
In the next blog post, I'm going to discuss how attackers are bypassing the protections that enterprises rely on to detect and block phishing attacks.
In the meantime, check out the Akamai white paper, "Phishing Is No Longer Just Email: It's Social".