Calling it a case of hacking the hacker: Of 1,019 observed phishing kits, about 25% were found to secretly transmit phished information to a third party who is likely the kit's original developer.
Calling it a case of hacking the hacker: Of 1,019 observed phishing kits, about 25% were found to secretly transmit phished information to a third party who is likely the kit's original developer.

An analysis of roughly 1,000 do-it-yourself phishing kits found that roughly a quarter of them double-cross the cybercriminals who implement them by secretly transmitting phished information to a third party who is most likely the kit's original developer.

This revelation signifies a shift in the business model employed by developers of kits that facilitate the quick deployment of phishing websites, according to Luda Lazar, security research engineer at Imperva, the cybersecurity firm that conducted the study. Instead of selling the phishing kits for a price as a crimeware service, developers are now offering the kits for free to patrons of underground websites. Yet they still profit by surreptitiously employing exfiltration mechanisms that leverage the data phished by users of their product.

This allows more experienced cybercriminals who develop the phishing kits to “decrease their effort and risk, and increase their ROI, by harvesting the work of inexperienced criminals who deploy their kits,” explains Lazar in a Jan. 4 Imperva blog post.

This strategy has become viable in part because the shelf lives of some phishing pages and servers are growing longer, due to the advent of techniques to used evade security measures. For instance, 17 percent of the 1,019 phishing kits observed by Imperva included a mechanism for blocking unwanted website visitors such as cyber researchers – making it appear like the website has already been taken down.

And 13 percent featured blacklist evasion techniques that can “redirect each new victim to a newly generated random location,” Lazar reports. “This approach allows phishers to hide the real link to the phishing kit from being blacklisted, and thus extend the lifespan of phishing pages and servers.”

The phishing kits were uncovered and obtained for analysis using URLs listed via two sources: TechHelpList.com and OpenPhish. In a disclaimer of sorts, Imperva notes that the samples they collected may be skewed toward phishing kits typically used by amateur attackers, some of whom never remove their purchased kits from compromised servers, thus leaving them vulnerable to directory traversal attacks and allowing researchers to download and analyze them.

A clustering analysis also suggested that around half of the studied kits were created by a small community of experienced actors,  with one third appearing to come from one of just three large families of kits. Further corroborating this theory: 51 percent of 271 author signatures extracted from the phishing kits were determined to be non-unique, meaning they were observed more than once. And 76 percent of kits were found to have non-unique subjects.

Other discoveries included:

  • The majority of the kits were found to “contain all the resources required to copy the targeted web site, including images, HTML pages and CSS files,” the blog post states. “This reduces the number of requests the kit issues to the target site, and hence the chances of being detected if the original site analyzes incoming requests.”
  • While 76 percent of kit buyers purchased only one phishing kit, 16 percent bought two kits, while the remaining eight percent purchased three or more, in a bid to maximize profit.
  • Approximately 15 percent of the phishing kits targeted Google Docs.