Phishing kits continue to grow more user-friendly and sophisticated, according to a new report from ZeroFOX. The report explains that these kits have become a fixed feature in the cybercriminal economy, with developers striving to make their products both effective and easy-to-use to appeal to a wider array of customers.
“Although this process is relatively simple in and of itself, a new category of tools on the fraud scene makes this process so easy that even the least capable of scammers is able to pull off a phishing campaign,” the researchers write. “These tools, called phishing kits, provide a turnkey scam that a low ability technical user can use to build out a phishing campaign on their own. Phishing kits generally include the code of the phishing website, infrastructure, and even distribution tools like mass mailers for a single fee. This allows phishing kit operators to run scams without having to worry about managing infrastructure or needing to design their own scams.”
ZeroFOX observes that phishing kit developers seem to be taking notes from legitimate SaaS vendors when they design their products. The higher-end phishing kit developers even offer visually appealing dashboards through which operators can manage and track the success of their campaigns, and they include built-in tutorial videos and training manuals. The kits are still relatively cheap, however, and most sell for under $100.
The researchers conclude that organizations need to take these observations into account when they design their defenses. Cybercriminals are constantly evolving their tactics, and they know how to get their phishing emails into users’ inboxes.
“A strong defense against phishing kits first requires an understanding of the tools and mechanisms attackers use to target organizations,” the researchers write. “Thinking like an attacker will enable your enterprise to be agile in identifying and tackling evolving threats like phishing kits. Defending against phishing attacks for your organization or your customers should be an approach that defends against an ecosystem rather than just a link in an email. Analyzing the kits, the developers behind the kits as well as the TTPs of the operators can provide a cybersecurity team a holistic view of who and what they are combating.“
New-school security awareness training can provide your employees with an essential layer of defense against phishing attacks by teaching them what they’re up against.
ZeroFOX has the story.
Here's how it works:
