skip to Main Content
+44 (0) 1628 308038

Phishing kits are licensed, managed and pirated like any other legitimate software


Spearphishing schemes are pulling on practices from legitimate software companies in order to enhance the efficiency and distribution of their scams, according to new research published Wednesday.

Akamai Principal Lead Security Researcher Or Katz, whose company sees thousands of new phishing pages each day, has noticed phishing kit sellers are increasingly operating as if they were in the lawful commercial space.

They are using “factory-like production cycle to target dozens of brands,” Katz, who has been analysing the development of phishing kits since December last year, writes in the research.

One phishing kit distributor Akamai has been tracking advertises kits that imitate a wide swath of websites, including Gmail, Amazon, Facebook, YouTube, GoDaddy, PayPal and Skype.

“The threat posed by phishing factories isn’t just focused on the victims who risk having valuable accounts compromised and their personal information sold to criminals,” Katz writes. “These factories are also a threat to brands and their stakeholders.”

Akamai has also observed a few trends among phishing kit developers that seek to evade traditional detection. One tactic is the use of randomisation generators to better target victims and to evade detection, according to Katz.

These generators create URLs so that in the event a phishing website is blacklisted, operations can avoid being neutralized in one fell swoop. Katz notes the randomization generator has an added benefit for the attackers — it can confuse victims.

“Random digits and letters often distract the victim and make the page appear more official,” Katz notes.

Other techniques include efforts to evade signature-based detection, which is traditionally used by security software to block phishing kits. Cybercriminals now constantly reiterate random HTML values so that security software would be forced to recognise new source code, which Katz notes is “nearly impossible.”

“When the victim loads the page for the first time, the odds are in the criminal’s favour that there are no pre-existing signatures on record for the page,” Katz writes.

Employees need to be constantly aware of new techniques being used by attackers. New-school security awareness training with simulated phishing tests can make your employees far more likely to resist real phishing attacks, because they’ll know what to watch out for and they’ll be expecting to be targeted.

With thanks to the Cyber Defence Alliance and CyberScoop. The full story is here:

Find out how affordable cyber security awareness training is for your organisation. Get a quote now.

Close search


Back To Top