Demand for Phishing Kits Is Strong: ReportPrices for Kits Soar; Ads Proliferate on Dark Net Markets
Ads for phishing kits doubled last year on underground forums and dark net market sites, with prices skyrocketing over 149 percent - an apparent indicator of strong demand, according to security firm Group-IB.
The increasing availability and sophistication of these kits is helping to drive growth in phishing campaigns, a newly released Group-IB report notes.
The average price for a phishing kit was about $300 in 2019, compared to $122 in 2018, according to the report, which notes that prices can range from as low as $20 to more than $880 for high-end kits.
The creators of these phishing kits often design landing pages and domains that resemble well-known brands, such as Amazon, Google, PayPal, Microsoft Office 365 and Instagram, to lure victims into thinking they have arrived at a legitimate site, the report notes
"Phishing kit creators are the driving force of this criminal marketplace - one individual might be behind the creation of hundreds of phishing pages and, even worse, behind the compromise of the personal information of thousands of people," Dmitry Volkov, head of threat hunting intelligence at Group-IB, notes in the report.
As phishing attacks become more common, threat actors and cybercriminals are using these kits to create much more sophisticated and targeted campaigns. In a January report, security firm Proofpoint found that nearly 90 percent of all the organizations that they surveyed were hit by at least one targeted phishing attack in 2019.
Phish for Sale
The phishing kits enable hackers with "modest programming skills" to carry out massive phishing campaigns that are difficult to detect and discover, the report notes.
The price for these phishing kits depends on the quality of the kit, the numbers of phishing pages it contains, as well as the availability of services - such as technical support - offered by kit operators, according to the Group-IB report. The kits typically include the phishing landing page, the malicious code needed to harvest credentials or other data and templates for the phishing emails.
More Sellers, More Buyers
The Group-IB report notes that the number of phishing kit operators and sellers increased by over 120 percent in 2019 compared to 2018. Exploit, OGUsers, and Crimenetwork are three of the most common online marketplaces for the buying and selling of these kits.
The Group-IB analysts found over 16,200 unique phishing kits in 2019. They also found an increasing number of unique email addresses for phishing kits, which could reflect the rising number of operators trafficking in these kits.
Complicating the matter for analysts is that many cybercriminals either discard or hide phishing kits once they have been used, which makes tracking them much more difficult, says Dmitry Shestakov, the head of Group-IB сybercrime research.
For instance, of the 2.7 million phishing pages examined by Group-IB in 2019, only 113,000 contained the actual phishing kit, the report notes.
" What we can say for sure is that attackers usually remove these phishing kits and are becoming more and more inventive in hiding them to prevent cybersecurity researchers from detecting these toolkits, which is why the extraction of phishing kits is growing more challenging each new year," Shestakov tells Information Security Media Group.
Phishing During the Pandemic
While the Group-IB report captures what was happening in underground forums in 2019, researchers have already detected an uptick in phishing attacks this year that are using the COVID-19 pandemic as a lure.
Earlier this month, security agencies in the U.S. and UK warned that cybercriminals are using COVID-19 themes to distribute malware through phishing emails and bogus apps that purport to offer information about the disease (see: UK and US Security Agencies Sound COVID-19 Threat Alert)
Group-IB found that there was a considerable increase in the number of posts devoted to phishing kits on underground forums in February, compared to January. COVID-19 became widely known as a global pandemic in February.
"The global pandemic has considerably facilitated the activities of cybercriminals, having rendered people less vigilant," Shestakov says. "People became less cautious, which gave attackers free rein and attracted more players to join the industry."