Cybercrime at scale: Dissecting a dark web phishing kit
Introduction to dark web phishing kits
The internet is like an iceberg: there is a lot more to it than can be seen from the surface. In addition to the surface web (what can be accessed and indexed by search engines), there is the deep web (gated content on internet-connected computers) and the darknet or dark web.
The dark web is often seen as a haven for cybercriminals, but it’s not all bad. The dark web is only accessible via Tor, which was designed by DARPA to protect the privacy of its users. In addition to the criminals, users of the dark web include political activists, journalists and other people who could be persecuted or killed if their identity became known.
Phishing simulations & training
However, this isn’t to say that there isn’t a lot of illegal stuff on the dark web. In an Infosec webinar, Cameron Bulanda and Kevin Angeley talked about how easy it is to acquire and use a phishing kit on the dark web.
Purchasing a dark web phishing kit
Dark web marketplaces aren’t somewhere that you can access by firing up Google on your home computer. In order to shop for a phishing kit on the dark web, a few things are necessary:
- Virtual machine (VM): See above about the dark web being a common haunt of cybercriminals. It’s not somewhere that you want to visit on your actual computer. A VM can be easily discarded after the fact, eliminating the need to clean it of malware.
- Tor: Tor is the only way to access sites on the dark web. It needs to be installed and properly configured to access any dark web website or marketplace.
- Cryptocurrency: Cybercriminals often use cryptocurrency for transactions, since it provides a degree of anonymity (more than a traditional bank account). Bitcoin is commonly accepted, and the average dark web phishing kit for a major website runs $5 to $15; however, more specialized ones can cost upward of $100.
- Destination: The dark web isn’t reachable by search engines, meaning that you need to know where you are going. Cameron and Kevin chose the Apollon marketplace; they found the address on Reddit.
After making the necessary preparations, Cameron and Kevin visited the Apollon marketplace to look for phishing kits. This marketplace is very sophisticated and similar to eBay or Amazon. It’s possible to search for a number of illegal goods and view seller profiles, including ratings from their previous customers.
The phishing kits that were acquired for this demonstration were hosted on MegaUpload as a ZIP file. Once payment has been made, the buyer is provided with a link from which they can download the kit.
What you get in a phishing kit
A dark web phishing kit is designed to be an all-in-one package for setting up a legitimate-looking phishing webpage. It includes all of the HTML, CSS and script code necessary to create a page that mimics a particular site.
Included in this script code is PHP (or JavaScript) code designed to collect the victim’s personal information. These phishing kits are capable of capturing usernames, passwords, IP addresses, payment card data, security questions, Social Security numbers (SSNs) and anything else that makes sense for a given site.
Some of the more sophisticated phishing kits incorporate additional functionality beyond a landing page. One example is a blocker that uses keyword searching on HTTP requests to identify visitors that could potentially identify the site as phishing and alert law enforcement (like Google or Microsoft 365). If an HTTP request is detected from such a source, the phishing kit returns a 404 message (Page Not Found) rather than the real page. This slows the detection of the phishing kit, making it more valuable to the user.
Deploying a phishing kit
These phishing kits are designed to be extremely user-friendly. All that the buyer needs to provide is a hosting platform.
Ideally, this platform will provide direct access to the file system that will contain the website. If this is the case, the user can simply upload the files extracted from the ZIP file downloaded from MegaUpload. Once the files have successfully uploaded, the user can bring the site live and the phishing page is immediately usable.
Key takeaways from the phishing demonstration
The growth of cybercrime as a service — including providing phishing kits for sale on the dark web — has dramatically lowered the bar for entering the world of cybercrime. Anyone with the technical knowledge to use Tor and a web hosting service is capable of running their own phishing site, and step-by-step instructions for these required steps are readily available on the internet.
With high-quality phishing sites becoming so easy to acquire and deploy, the number of realistic phishing sites on the internet will only continue to grow. With more attackers comes more targets as well, meaning that any organization and any individual can be a target of phishing.
This is why cybersecurity awareness education is so vital for all of an organization’s workforce. Every member of an organization’s workforce should be frequently trained and assessed on how to identify phishing emails, the pretexts currently in use (such as COVID-19 and other world events) and what to do if they receive a suspected phishing email.
The most important thing to do when a phishing email is received it to report it to the:
- IT/security team: A quick report enables a rapid response, including deleting the email from other potential targets’ accounts and performing incident response for anyone who fell for the phish.
- Impersonated site: Phishing emails are typically designed to impersonate a particular brand. Notifying the brand of the ongoing attack can enable them to take any necessary action (sending out a warning, notifying law enforcement, resetting passwords and so on).
- Web hosting service: Most web hosting services do not want to be hosting illegal content. Contacting the phisher’s web host may enable them to take it down before any more damage is done.
Phishing has become easy and phishing kits are easily accessible to anyone motivated to look. Minimizing your organization’s cyber risk requires training users to make these sites as unsuccessful as possible.
You can see the whole phishing kit breakdown at the Infosec website.
See Infosec IQ in action
Sources
Tor Project, torproject.org
Bitcoin, bitcoin.org
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- Cybercrime at scale: Dissecting a dark web phishing kit
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Phishing-as-a-Service
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
