Researchers discover next generation phishing kit

Researchers at Check Point and CyberInt, have discovered a new generation of phishing kit that is readily available on the Dark Web.


The new kit, compiled and offered by a criminal whose nom-de-hack is "[A]pache," enables users to craft convincing emails and redirect sites that closely mimic branding elements of well-known firms, including Walmart, Americanas, Ponto Frio, Casas Bahia, Submarino, Shoptime and Extra. The kit seems to cater to Portugese-speaking criminal clients.

By simply downloading this multi-function phishing kit and following the straightforward installation instructions, a threat actor is able to launch a phishing campaign, that collects the personal and financial information of unsuspecting consumers, very quickly.

Unlike previous kits which are primarily composed of just one or two pages to collect personal or financial data, this new and advanced phishing kit enables hackers to create a convincing fake site. This includes options to create spoof websites of many well-known brands including Walmart, Americanas, Ponto Frio, Casas Bahia, Submarino, Shoptime and Extra.

In order to convincingly persuade their victims that they are shopping at the genuine site they think they are at, online scammers then need a domain that is similar to the targeted brand, for example, To simplify this process, [A]pache has developed a simple user interface within the admin panel where the threat actor can paste the product URL of the legitimate retailer and the kit will automatically import the product information into the phishing page. They can then view their ‘products’ and change their original prices. Once registered, they are ready to deploy the kit to a PHP and MySQL supported web host. They can then log in to the kit’s admin panel and begin configuring their campaign.

Like any shop, the fake phishing site encourages its users to also be competitive, so the kit suggests that the product prices are attractive. This helps to motivate potential ‘customers’ to click on the items and proceed to checkout. Reducing prices too low though would raise suspicions with captivated ‘customers’. In addition, one trick is to list highly valued and desired items first, like smartphones, to entice potential victims.

When customers click through from the threat actor’s email, social media link or any other way in which they could be sending traffic, the site will look exactly like the target site and customers can proceed to checkout with no suspicions raised. At this point ‘customers’ enter their payment and delivery details, including the CVV, which are then sent straight to the threat actor’s database, enabling the cyber criminal to see the victim’s personal and financial information. After the victim has entered their payment details, they are presented with a notification that the payment process has failed. This helps convince them to not be concerned when the purchased ‘product’ does not arrive.

At $100-$300, the cost is higher than more standard phishing kits. Standard kits usually retail at $20-$50, with some even free, as they only provide login pages and prompts for personal and financial information. With the [A]pache phishing kit however, threat actors are provided with a full suite of tools to pull carry out their attack. These include a whole backend interface with which they can create convincing fake retail product pages and manage their entire campaign.

With some reports claiming that 91% of cyberattacks and data breaches begin with a phishing email, phishing remains a constant threat for stealing financial information, intellectual property, and even interfering with elections. For this reason, consumers and businesses alike must ensure they have the latest protections for safe guarding against such threats.

I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don't, the bad guys will, because your filters never catch all of it. Get a quote now and you will be pleasantly surprised.

Get A Quote

Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Let's stay safe out there.

Warm regards,

Stu Sjouwerman,

Founder and CEO, KnowBe4, Inc


Cross-posted with grateful acknowledgements to HelpNetSecurity

Topics: Phishing

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews