Every day Akamai sees thousands of new phishing pages. Over the last few months one kit, and the pattern it represents, has stood out to our researchers. In today's post, we're going to explore this kit, how it came to be, and what its existence means to the public.
Since December, Akamai has tracked the development and deployment of different phishing kits. Some of them are using an almost factory-like production cycle to target dozens of brands. These kits are developed, sold, and then updated as needed.
The templates used by scammers require a near-perfect representation of a given brand's website. When those brands change something, the kit also has to be updated quickly; otherwise, the level of success for a given phishing campaign drops off significantly. However, older, non-updated kits still have some use - they're packaged into phishing kit collections and individually updated by those who purchase them.
Supply and Demand:
The phishing economy is - in all the ways that count - no different than the larger (and legal) economy you're familiar with. On a basic level, there are two major points in a phishing factory that is part of the phishing economy:
Developers: They create the phishing kits and templates, as well as evasion techniques.
Sales: They promote the phishing kits and templates, as well as related services such as hosting, email scripts and services, and target lists. Sometimes the developer will take on this role themselves.
Below you can see an example of phishing collections that are sourced from two different vendors online. What's interesting here is the fact they're essentially selling the same phishing kit collection, but with minor changes. The list on the right of the image represents all the brands included in one bundle.
Outside of the phishing factory, you have consumers (who use the phishing kits) and scammers who target the developer's work. These scammers will copy existing phishing kits, including the back-end functionality and evasion methods, and package them as their own. They're labeled "rippers" by consumers on underground marketplaces and forums, and usually have a low reputation once exposed.
Reputation is a big deal in the phishing economy. Some developers have made a name for themselves, going so far as to establish a s personal brand and signature development styles.
One notable example of a brand is 16Shop. 16Shop is a customizable phishing kit that primarily targets Apple users. This kit can be deployed in a number of languages, and is controlled by its developer through a registration and licensing system. If the phishing kit operator's registration key is deactivated or becomes invalid, it stops working. An example of 16Shop's admin panel, expiration page, and Apple phishing page can be seen in the image below.
Signature development styles are easy to spot too, once you see them enough. One phishing kit (Chalbhai) has been observed by Akamai on more than 1700 domains since last December. We're counting domains here, because it's a more stable metric, given that a single domain can host dozens of unique URLs.
There were noted spikes in activity towards the end of 2018, and the first few weeks of 2019. This is usually a sign of redevelopment and kit updates. Many of the observed domains were compromised WordPress installations, but some of them were dedicated hosting.
The phishing kit in question is called Chalbhai for the unique template used to develop it.
Chalbhai phishing kits have been observed targeting several major brands, including Charles Schwab, Bank of America, Chase, Wells Fargo, LinkedIn, Comcast, Yahoo, Microsoft, and Adobe.
There's strong indicators the Chalbhai phishing kit was originally developed by a single person. The skeleton framework of Chalbhai remains exactly the same in many observed cases, but there are signs that rippers have gotten copies of Chalbhai and repurposed it to their own whims. For example, there are versions of Chalbhai written in pure PHP, others in basic HTML, some are a mix of both.
The more complex the phishing kit, the more the basic Chalbhai design was changed. Since it first started to appear in 2017, Chalbhai has progressed from basic usernames and passwords to "fullz" - a term used to describe a complete record of usernames, passwords, and personally identifiable information such as name, address, birthdate, Social Security Numbers, financial details, and more.
What isn't clear is if all of the observed phishing campaigns using Chalbhai were the work of a single individual, a team, or multiple people acting independently.
The phishing economy is growing, kits are becoming easier to develop and deploy, and the web is full of abandoned blogs, as well as vulnerable servers and services. Criminals capitalize on these weaknesses to establish a foothold that enables them to victimize thousands of people daily.
The growing industrial nature of phishing kit development and sales, where new kits are developed and released within hours, and the clear split between creators and users, means this threat isn't going anywhere any time soon. The threat posed by phishing factories isn't just focused on the victims who risk having valuable accounts compromised and their personal information sold to criminals. These factories are also a threat to brands and their stakeholders.
The lifespan of a typical phishing domain is measured in hours, not days. Yet, new techniques and developments by the phishing kit creators are expanding theses lifespans little by little, and it's enough to keep the victims coming and the phishing economy moving.
There's no easy answer, no simple solution that will make things better. Phishing is a complex problem that affects corporations and the average person equally. The first place to start is awareness, followed by strong partnerships focused on increased detection and mitigation, which focus on shortening the lifespan of the domains used by the people responsible for phishing campaigns.