Phishing Kits: Challenges and Opportunities for Cybersecurity Defenders
/ 3 min read
Quick take - Phishing kits, available on underground forums, pose significant challenges for cybersecurity professionals but also provide opportunities for defenders to gather intelligence and develop countermeasures against phishing attacks.
Fast Facts
- Phishing kits, available on underground forums, pose challenges for cybersecurity but also provide insights for defenders to combat phishing campaigns.
- Acquiring the source code of these kits allows defenders to implement countermeasures and exploit vulnerabilities like unprotected log files.
- Phishing kits can often be obtained directly from phishing sites due to errors by threat actors, with the best opportunity occurring during site setup.
- Monitoring Certificate Transparency logs can help identify new phishing domains, as many hosting providers issue HTTPS certificates automatically.
- Various tools and projects, such as Phish Report and Miteru, assist in locating, analyzing, and developing countermeasures against phishing kits.
Phishing Kits: A Double-Edged Sword for Cybersecurity
Phishing kits, commonly sold on underground forums, present significant challenges for cybersecurity professionals. However, these kits can also offer valuable insights for defenders aiming to combat phishing campaigns.
Acquiring Phishing Kits
By acquiring the source code of a phishing kit, defenders can implement independent countermeasures. They may also exploit vulnerabilities within the kits, such as unprotected log files or admin panel passwords. Phishing kits can often be obtained directly from the phishing sites themselves, frequently due to errors or oversights by the threat actors behind them.
There are two primary methods for acquiring these kits: being early or being lucky. The most reliable method involves downloading the phishing kit while the phishing site is still being set up. This window of opportunity is typically very short, often lasting just a few minutes. The process of establishing a phishing site generally includes uploading the kit and extracting files, completing installation steps, and sometimes neglecting to delete the kit afterward.
Monitoring and Detection
Finding active phishing domains can be challenging. Certificate Transparency logs can be utilized to identify newly issued HTTPS certificates, which may indicate the emergence of phishing domains. Many hosting providers automatically issue these certificates upon website creation, allowing phishers’ domains to appear in the logs before they are fully operational.
Effective monitoring of potential phishing sites can involve checking for changes in directory listings. Scripts can be employed to automate the detection of uploaded phishing kits. If phishers forget to delete the ZIP file after setting up their sites, this can provide an additional opportunity for defenders to retrieve the kit. Techniques such as directory traversal can be employed to access kits hosted in subdirectories. If that is not feasible, guessing the filename of the phishing kit may yield results. Common strategies for filename guessing include using the phisher’s name or previously seen filenames, as well as variations of known filenames.
Resources for Cybersecurity Professionals
Several existing projects and repositories collect phishing kits, serving as valuable resources for cybersecurity professionals. Platforms like GitHub and URL scanning services can be instrumental in locating phishing kits. Tools such as Phish Report automate the analysis of URLs and phishing kit collections, providing reverse engineering capabilities and creating detection rules and vulnerability assessments. Other tools, like StalkPhish and kitphishr, facilitate the scanning of known phishing sites and large lists of URLs for phishing kits. Miteru extends this functionality to find kits in open directories and supports the downloading of various archive formats beyond ZIP files.
Phishing kits represent a growing threat in the cybersecurity landscape, but they also offer defenders unique opportunities to gather intelligence. By leveraging these insights, defenders can develop countermeasures against phishing attacks.
Original Source: Read the Full Article Here
