Quick, cheap and dangerous: how scammers are creating thousands of fake pages using phishing kits

In 2021, Kaspersky researchers blocked 1.2 million individual phishing pages based on 469 phishing kits — which are ready-made fake page templates, that allow cybercriminals to launch phishing attacks effortlessly. Since a phishing site can be blocked quickly, fraudsters are keen to generate these pages quickly and in large numbers. Using phishing kits, even an inexperienced phisher can create hundreds of phishing pages in a short time.

One of the most common phishing techniques is to create a fake page for a well-known brand with a large recognition, where users are prompted to leave their personal data. It takes a long time to create these sites manually, and not all phishers have the necessary web-development or site administration skills. The use of phishing kits, however, requires a minimum amount of effort from the phisher. Just a short instruction attached to the template being sold is enough for attackers without advanced technical skills to carry out a phishing attack.

An example of a phishing page mimicking Facebook

In addition to these templates, some phishing kits contain scripts for sending messages on popular messaging services or via email with phishing links contained. This spamming software automates the mass-mailing process and allows fraudsters to send out hundreds of thousands of phishing emails as bait for potential victims.

The developers of phishing kits don’t stop at just basic schemes and continue to come up with new, advanced add-ons, such as detection evasion tools. By adding obscured or garbage code to generated pages, developers make it harder to detect and block the site.

Junk HTML tags, which will not appear on screen but complicate detection

This code is often just a lot of incoherent text, so buyers of phishing kits, especially novice users, don't look closely at it. Some dishonest developers take advantage of this and add this extra code not only to the page but also to the code responsible for transmitting information. By doing this, they can steal the data that the buyer of their product managed to collect and use it for their own purposes.

Phishing kits are actively sold on the darknet or in closed Telegram channels. Prices vary depending on the complexity of a particular template, costing anywhere from $50 to $900 in these Telegram channels, which specialize in the sale of tools for phishers. The simplest kits can even be found for free in the public domain.

Phishing kits up for sale on a Telegram channel

Many developers offer entire packages on the darknet such as Phishing-as-a-Service, which includes phishing kits. These packages provide a full range of services from creating fake sites for any well-known brand to launching an entire data theft campaign that includes target research, phishing emails, as well as encrypting and sending the stolen data to a client.

Having possession of a phishing kit’s source code, it is possible to block all the fake pages that have been created using this template. For example, last year Kaspersky researchers detected 469 phishing kits, which allowed them to block 1.2 million individual phishing websites.

“Every year we block millions of phishing pages. Despite the lifespan of these pages being just a couple of hours, many of them manage to achieve their goal and steal user data. To extend the scope of these attacks, fraudsters need to create thousands of fake pages every day, and phishing kits have become an easy way to do that. Gone are the days when only the most skilled hackers could develop a phishing site and scam users into divulging their personal information. Now any amateur can create his own phishing page, so you have to be especially careful following any links from an email or messaging service,” comments Olga Svistunova, security researcher at Kaspersky.

Read the full report about the phishing-kit market on Securelist.

To protect yourself from phishing attacks, Kaspersky recommends:

• Checking the link before clicking. Hover over it to preview the URL and look for any misspellings or other irregularities.
• It’s good practice to only enter a username or password over a secure connection. Look for the HTTPS prefix before the site’s URL, indicating the connection to the site is secure.
• Sometimes emails and websites look genuine, depending on how well the criminals have done their work. Despite their similarity to original ones, these pages are a lot more dangerous.
• It’s better not to follow links from suspicious emails at all. Check the link from the letter with the domain of your bank.
• Avoid logging in to online banking or similar services via public Wi-Fi networks. Hotspots are convenient, but it’s better to use a secure network. Open networks can be created by criminals who, among other things, spoof website addresses over the connection and redirect you to a fake page.
• Install a trusted security solution and adhere to its recommendations. These secure solutions will solve most problems automatically and alert you if necessary.
• We recommend that companies keep track of new phishing kits targeting their clients or employees. You can receive information about phishing kits through services that provide data on cyberthreats, such as Kaspersky Threat Intelligence Portal. If you want to check if the page is legitimate, enter the link into the Threat Intelligence Portal search and get the statistics on it, including information about phishing kits.
• In order to avoid phishing schemes on the web, it‘s a good idea to install Safe Browser Extension. This extension can block phishing websites, known to contain malicious downloads or stop malware from downloading onto the user’s computer.