Deep water: exploring phishing kits

Ivan Lebedev
CERT-GIB analyst
About 10 years ago, Group-IB started developing a unique system to collect phishing kits. Phishing kits, a tool used by scammers, already had quite a rich history at the time. Over this period, Group-IB's Computer Emergency Response Team (CERT-GIB) built a solid phishing kit database, which was updated regularly. The database helps Group-IB fight phishing that targets specific brands.

Phishing kits are archive files with a set of scripts that ensure a phishing website works. Simply put, it is a toolset used to build phishing websites in large numbers. Such kits allow scammers with basic programming skills to deploy hundreds of phishing pages, often using them as substitute for each other.

In 2020, Group-IB discovered phishing kits that targeted over 260 unique brands. The most popular brand exploited in phishing kits was Microsoft and its products and services such as Microsoft Live, Microsoft Office 365, Microsoft OneDrive, and Microsoft Outlook. Other popular brands targeted by phishing kits include PayPal, Google, and Yahoo.

Cybercriminals mainly target online services (30.7%). By stealing user account credentials, hackers gain access to the data contained in linked bank cards. Email services became less appealing last year, with the share of phishing kits targeting them dropping to 22.8%. Financial institutions turned out to be the third favorite among scammers, with their share totaling above 20%.
Most kits continue to use email to exfiltrate stolen data. As it stands, only 6% of phishing kits do not use any email addresses, while 64% of them use two or more email addresses.
Cybercriminals most often use free email services to exfiltrate stolen data. For example, the top 10 most common email domains found in phishing kits include public email services only. They account for 61% of the total number of emails used in phishing kits.

As a rule, scammers use disposable temporary emails in phishing kits. Only 23% of emails found in Group-IB's phishing kit database were used more than once.
Alternative methods of exfiltrating stolen data
CERT-GIB analysts divide alternative ways for cybercriminals to obtain data into two main categories: local (when the data is stored in a file located on the phishing resource itself) and remote (when it is sent to a different host).
    Local techniques:

    • Text files: They usually have a .txt extension, but others exist as well, for example .jpg. In any case, the data is usually written in text format. The stolen data files are stored on the same hosting as the phishing site and can be downloaded externally.
    • MySQL databases: This technique is difficult to implement and therefore rarely used. It is not easy to extract data from the source. The problem is that creating the database requires additional effort, which is not usually automated by the developer of the phishing kit. A typical phishing kit contains only a brief guide to setting up a database, which requires basic knowledge of how to operate one.
    Remote techniques:

    ● Sending a GET/POST request to a remote server: The server can be legitimate or owned by the attackers. Some cybercriminals use Google Forms to transfer stolen data, for example.

    ● Sending data via Telegram API: This is an increasingly popular technique that makes it possible to send compromised data to a private Telegram channel using a special script. To do so, scammers require only an API key and a channel ID. There is a special Telegram platform for creating and performing phishing attacks. A recent study by Group-IB about the Classiscam scheme describes the platform in detail.

    A script used to transfer data to a private Telegram channel:
      Extra features
      Sometimes the functionality of phishing kits goes beyond creating phishing pages. They may be used to upload a malicious file to the victim's device. One of the phishing kits examined by CERT-GIB allowed the scammers to create a temporary file using the VBScript language and then add the malicious code of the Ramnit worm to it in binary form, byte by byte. The code was then run using the Windows Script Host.

      An example of a script for uploading malware to the host of a user who visited the phishing page:
      There is also another well-known phishing kit peculiarity. Usually, phishing kits are created to be sold on the darknet to scammers with poor developer skills, which is why about 10% of phishing kits contain backdoors that the original developers use to extract stolen data or even assume control over the hosting resource.

      To extract stolen data, the developer needs to discreetly indicate an additional email address that will receive the data. In the example below, the buyer of a phishing kit is asked to specify an "email" using the "yourmail" variable:
      In this case, the sending function uses not only the variable "yourmail", but also the array "send", which contains not only the "legal" email address but also a "token" decoded from the hexadecimal code.

      An example of sending hidden data to the developer of the phishing kit is shown below:
      The "token" variable is initialized with a POST request from other scripts that control the receipt of stolen data.

      Initializing the "token" variable with a hexadecimal string:

      Decoded data from the "token" variable
      After decoding, the string looks like this:
      The first sending function is followed by a second one, which sends information only to the hidden addresses specified in the "mail" variable.

      Encoded and decoded hidden email of the phishing kit developer
      Developers of phishing kits may use more sophisticated ways of hiding additional emails. In the example below, the email is hidden in the IP variable. At first glance, it may seem that it is not specified anywhere at all, and it cannot be found using a regular file search.

      A smarter way to hide the email of the phishing kit developer:
      However, it should be noted that the sec.gif script shown below was connected.

      Obfuscated sec.gif script:
      The objective of this script is to set the value of the IP variable to noreply@miс***ite[.]com.

      Developers do not limit themselves to hiding additional emails. There are scripts that open web shells on hosting resources unknown to the buyer of the kit. A web shell is a malicious script (program) that allows scammers to control websites and servers by executing terminal commands, brute-forcing passwords, accessing the file system, and more. Most often, scammers exploit vulnerabilities in the website code or use brute-force to deliver the script.

      In the example below, the web shell is part of the robots.php script.

      A web shell embedded in a phishing kit:
      The web shell interface is quite straightforward. It allows uploading any file to the hosting resource.

      Web shell interface:
      Access to the web shell requires a password, which after SHA1 and MD5 hashing will look like this: aafedc957d39b975c5d15413825b033f.

      Another case study by CERT-GIB shows a more complicated technique. The web shell was not located in the phishing kit but required downloading from a Pastebin, the link to which was assembled part by part.

      Hidden web shell download:
      It should be mentioned that the antibot.php script is a simple way to bypass automatic detection of phishing resources, which restricts access to phishing pages from specific IP addresses or using specific user agents/hostnames. In this specific example, the link is specified in the array of known bots/crawlers, for which access to the phishing resource will be limited.

      Array with a disassembled link:
      The downloadable script consists of two parts. The first one is a public web shell that works similarly to the previous one and simply uploads files to the hosting resource.

      Public web shell:
      The second one, obfuscated using a simple algorithm and hidden after the lure text, is an additional web shell. The developer of the phishing kit is notified when the web shell is installed.

      Hidden web shell:
      Some developers leave additional traces in phishing kits, which can make it easier to attribute them in the future: