Cybercrime at scale: Dissecting a dark web phishing kit
Introduction to dark web phishing kits
The internet is like an iceberg: there is a lot more to it than can be seen from the surface. In addition to the surface web (what can be accessed and indexed by search engines), there is the deep web (gated content on internet-connected computers) and the darknet or dark web.
The dark web is often seen as a haven for cybercriminals, but it’s not all bad. The dark web is only accessible via Tor, which was designed by DARPA to protect the privacy of its users. In addition to the criminals, users of the dark web include political activists, journalists and other people who could be persecuted or killed if their identity became known.
However, this isn’t to say that there isn’t a lot of illegal stuff on the dark web. In an Infosec webinar, Cameron Bulanda and Kevin Angeley talked about how easy it is to acquire and use a phishing kit on the dark web.
Purchasing a dark web phishing kit
Dark web marketplaces aren’t somewhere that you can access by firing up Google on your home computer. In order to shop for a phishing kit on the dark web, a few things are necessary:
- Virtual machine (VM): See above about the dark web being a common haunt of cybercriminals. It’s not somewhere that you want to visit on your actual computer. A VM can be easily discarded after the fact, eliminating the need to clean it of malware.
- Tor: Tor is the only way to access sites on the dark web. It needs to be installed and properly configured to access any dark web website or marketplace.
- Cryptocurrency: Cybercriminals often use cryptocurrency for transactions, since it provides a degree of anonymity (more than a traditional bank account). Bitcoin is commonly accepted, and the average dark web phishing kit for a major website runs $5 to $15; however, more specialized ones can cost upward of $100.
- Destination: The dark web isn’t reachable by search engines, meaning that you need to know where you are going. Cameron and Kevin chose the Apollon marketplace; they found the address on Reddit.
After making the necessary preparations, Cameron and Kevin visited the Apollon marketplace to look for phishing kits. This marketplace is very sophisticated and similar to eBay or Amazon. It’s possible to search for a number of illegal goods and view seller profiles, including ratings from their previous customers.
The phishing kits that were acquired for this demonstration were hosted on MegaUpload as a ZIP file. Once payment has been made, the buyer is provided with a link from which they can download the kit.
What you get in a phishing kit
A dark web phishing kit is designed to be an all-in-one package for setting up a legitimate-looking phishing webpage. It includes all of the HTML, CSS and script code necessary to create a page that mimics a particular site.
Some of the more sophisticated phishing kits incorporate additional functionality beyond a landing page. One example is a blocker that uses keyword searching on HTTP requests to identify visitors that could potentially identify the site as phishing and alert law enforcement (like Google or Microsoft 365). If an HTTP request is detected from such a source, the phishing kit returns a 404 message (Page Not Found) rather than the real page. This slows the detection of the phishing kit, making it more valuable to the user.
Deploying a phishing kit
These phishing kits are designed to be extremely user-friendly. All that the buyer needs to provide is a hosting platform.
Ideally, this platform will provide direct access to the file system that will contain the website. If this is the case, the user can simply upload the files extracted from the ZIP file downloaded from MegaUpload. Once the files have successfully uploaded, the user can bring the site live and the phishing page is immediately usable.
Key takeaways from the phishing demonstration
The growth of cybercrime as a service — including providing phishing kits for sale on the dark web — has dramatically lowered the bar for entering the world of cybercrime. Anyone with the technical knowledge to use Tor and a web hosting service is capable of running their own phishing site, and step-by-step instructions for these required steps are readily available on the internet.
With high-quality phishing sites becoming so easy to acquire and deploy, the number of realistic phishing sites on the internet will only continue to grow. With more attackers comes more targets as well, meaning that any organization and any individual can be a target of phishing.
This is why cybersecurity awareness education is so vital for all of an organization’s workforce. Every member of an organization’s workforce should be frequently trained and assessed on how to identify phishing emails, the pretexts currently in use (such as COVID-19 and other world events) and what to do if they receive a suspected phishing email.
The most important thing to do when a phishing email is received it to report it to the:
- IT/security team: A quick report enables a rapid response, including deleting the email from other potential targets’ accounts and performing incident response for anyone who fell for the phish.
- Impersonated site: Phishing emails are typically designed to impersonate a particular brand. Notifying the brand of the ongoing attack can enable them to take any necessary action (sending out a warning, notifying law enforcement, resetting passwords and so on).
- Web hosting service: Most web hosting services do not want to be hosting illegal content. Contacting the phisher’s web host may enable them to take it down before any more damage is done.
Phishing has become easy and phishing kits are easily accessible to anyone motivated to look. Minimizing your organization’s cyber risk requires training users to make these sites as unsuccessful as possible.
You can see the whole phishing kit breakdown at the Infosec website.
Tor Project, torproject.org
We've encountered a new and totally unexpected error.
Get instant boot camp pricing
A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here.