The Market for Phishing Kits

phishing kits cybercriminalsInexperienced cybercriminals can easily find places to buy phishing kits in the open, on the “surface web” (as opposed to the deep or dark web), according to Jan Kopriva at the SANS Internet Storm Center. Kopriva set out to see how many of these kits he could find for sale on popular websites, and was able to find more than a hundred on YouTube alone after a single search. These YouTube videos offered demonstrations of the phishing kits’ functionality and pointed users to where they could purchase the kits.

“Of the 104 kits, 18 were offered free of charge (and at least one of these was backdoored - this wasn't mentioned in the video description so it was probably intended as a surprise bonus feature),” Kopriva writes. “For 76 of them, price was available by e-mail/ICQ/Telegram/Facebook only and the 10 remaining ones ranged in price from $10 to $100. The 86 ‘commercial’ phishing kits were offered by 21 sellers, with the most prolific one of them being responsible for 22 different scam pages.”

The kits spoofed a wide range of services, with Office 365, PayPal, Amazon, and Netflix appearing most frequently. Each of the offerings contained various functionalities, and some included tutorials for new scammers.

“Some of the videos were offering e-mail templates, access to complex phishing platforms, or tutorials in addition to the scam pages themselves, either as part of a bundle with specific phishing kit or at a premium,” Kopriva says. “Similar selection of additional tools and other materials was available on external e-commerce platforms, where some the kits shown off in the videos were sold.”

Kopriva’s research demonstrates how easy it’s become for aspiring criminals to launch effective phishing attacks with minimal technical skills. New-school security awareness training can enable your employees to identify and thwart these types of attacks.

The SANS Internet Storm Center has the story.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Phishing

Subscribe To Our Blog

New call-to-action

Get the latest about social engineering

Subscribe to CyberheistNews