How phishing kits empower a new legion of phishers


Some cybercriminals are motivated by political ideals, others by malice or mischief, but most are only interested in hard cash. To ensure that their criminal efforts pay off, they must balance the potential payoff against the time, resources, and risk required.

So it’s no wonder that so many people use phishing as their default attack method. Malicious emails can be used to reach many targets with relative ease, and criminals can purchase out-of-the-box phishing kits that bundle everything they need for a lucrative campaign.

After analyzing three months of phishing email traffic, we found that most attacks follow the money either to the big tech companies or to the big financial companies. Facebook, Apple, and Amazon were the most popular tech brands spoofed in phishing URLs. Financially, Charles Schwab was by far the most popular target and the most used brand URL overall, accounting for 13.5% of all cases. Chase Bank – a US subsidiary of JP Morgan Chase & Co – RBC Royal Bank and Wells Fargo have also been widely used in phishing URLs.

Our investigation found that Chase has received an increasing level of attention from cybercriminals over the past year, so we took a deeper look at the tactics used to target the bank’s customers.

The switch to mobile

One of the most prominent trends in our survey has been the increasing focus on mobile devices in the context of phishing attacks. SMS, WhatsApp and other mobile messaging services are increasingly used to launch attacks.

Attackers adopt these methods in response to stronger email security solutions. The average mobile device is less likely to be well protected against phishing than a desktop endpoint. Even if the mobile device has a professional messaging app, channels like SMS and WhatsApp will bypass any anti-phishing protection it might have.

Threat actors can also mix email and mobile messaging in a single attack, for example by sending a phishing email that includes a QR code that must be scanned by a smartphone, thus getting the attack to focus. of mobile termination. We have seen a slight increase in QR-based attacks as the relatively neglected technology has become more popular over the past decade. pandemic. These attacks are again effective at evading traditional email security tools, as the QR code itself is not a malicious asset and its link destination cannot be read by detection technologies optimized for URLs. text and virus signatures.

Mobile-based phishing attacks are also more difficult to identify due to the smaller screen and simpler layout of mobile devices, which exacerbates the lack of mobile security solutions.

How phishing kits mean anyone can phish like a pro

Not only are phishing approaches constantly evolving to counter email security solutions, even non-technical criminals can also easily take advantage of new techniques with phishing kits. Mirroring the out-of-the-box software offerings used by legitimate businesses, these kits provide a collection of tools that allow potential criminals to quickly create and launch their own phishing campaigns.

Widely available on the dark web, these kits typically include email templates, graphics, and scripts, as well as a simple interface to handle the attack. Criminals can also easily buy databases of potential target email addresses, possibly from previous data breaches.

Our analysis found that these kits are often very sophisticated, configured to run campaigns that will harvest credit card details, social security numbers, and other personal information, as well as the standard target login credentials. The criminal community has also evolved its techniques to counter multi-factor authentication, with some kits offering the possibility of capturing single-use authentication codes.

One of the most important kits we reviewed was the Chase XBATLI, which has been available for some time but has increased in use to target Chase and Amazon customers. The kit allows criminals to create their own bank-mimicking phishing page, after which they contact customers and ask them to update their contact details.

Victims are prompted to enter their login credentials, then confirm their personal and financial information. This ensures that the perpetrators can not only access the victim’s account, but also provide them with other information that can be used for fraudulent purposes or sold on the dark web. As a final touch, the XBALTI kit redirects the target to Chase’s actual landing page at the end, boosting the veneer of legitimacy.

XBALTI and other phishing kits we’ve analyzed in recent months have also used evasion tactics, such as using dynamic domain services like Duck DNS to frequently change the URL destination. This allows them to continuously use the URL even if the web server is down or blacklisted.

How can businesses defend themselves against phishing attacks?

Most attacks still rely on the same handful of tactics because they still work.

First of all, always assume that if something looks fishy, ​​it’s probably phishing. Phishing emails have largely evolved from the scrambled and flawed messages of the past, but there will always be elements that betray them. Inconsistencies around language and design should be red flags, and users should always verify that the sender display name matches the email address. URLs should also be verified before they are opened, and company contact details can be quickly confirmed through official websites and mobile apps, or simply through search engines.

Businesses should also support their employees and customers by providing them with an accessible channel to report phishing. Customers should be able to easily report suspicions to the brand, and employees should have a direct line to their IT security team, ideally through a specialized anti-phishing and remediation solution.

As criminals continue to pursue phishing as the most accessible and lucrative route to cybercrime, individuals and businesses need to keep up with the latest trends and keep their eyes peeled for the same old tricks.


About Author

Comments are closed.