The rise of the dark web has changed many things for criminals. Long a haven for the buying and selling of drugs, weapons, fake ID, and confidential data, new research has also shown that advanced phishing kits are becoming increasingly available.

Not that phishing is a new phenomenon. The practice has been around almost as long as email itself, and has always been an important part of a cyber criminal’s toolkit. Despite the risks of phishing being much more widely known, however, it retains its status as one of the dominant forms of cyber-attack, withsome reports claiming that 91% of cyberattacks and data breaches begin with a phishing email.

Joint research between CyberInt and Check Point now points to an even more worrying trend. The new kits they discovered for sale on the dark web potentially allow anyone, even those with relatively little technical knowledge, to run their own phishing scam. With such easy-to-use tools available, such kits could lead to an unprecedented explosion in phishing attacks.

Before I take you through the juicy details of the new phishing kits available, let’s spend a moment reminding ourselves of just how damaging phishing can be.

Phishing: A Reminder

You are probably sick of reading about phishing attacks, and how to avoid them. Guides on how to protect yourself against such attacks are a staple of any reputable (and some non-reputable) cyber security site, and almost everyone now has some form of knowledge of how such attacks work, and thinks they know how to avoid them.

Given the wealth of information out there, however, and the length of time that users and businesses have been aware of the risks of phishing, there is a real danger that familiarity breeds complacency. Far from diminishing, phishing attacks are actually on the rise, and are becoming increasingly sophisticated.

Whilst the consequences of falling foul of a phishing attack can be disastrous for individuals, it’s also worth remembering thatphishing attacks result in the loss of billions of dollars by SMEs every year. In addition, phishing attacks have become more targeted, with ‘spear phishing’ – highly personalized attacks often exclusively directed at powerful individuals – emerging as a growing trend.

Phishing for Everyone

The most worrying thing about the new phishing kits that CyberInt and Check Point have discovered, however, are that they put these sophisticated techniques into the hands of anyone with even a basic level of tech knowledge.

Phishing kits have been available on the dark web for years, and have been a relatively cheap option  for the would-be cyber criminal. Typical kits cost $20 - $50 a go, and promise to capture basic details about victims, such as generic passwords or other simple information that can then be used to mount a more sophisticated attack.

The newly discovered kit is a different beast altogether, and costs significantly more. It has been developed by a user known as [A]pache, and provides a full (and legitimate-looking) site for capturing victims’ financial information. The sophistication of the software also means that it comes with a correspondingly larger price tag: around $300.

What you get for your money is quite impressive, however. The phishing kit allows you to build a number of fake sites that are pretty good copies of a number of well known e-commerce portals. Though primarily focused on Brazilian retailers, criminals also have the option of impersonating Walmart and other US companies. The results are really quite good:

Image Source: https://research.checkpoint.com/a-phishing-kit-investigative-report/

Using the kit, even an inexperienced attacker can build a fake site, and populate it with items ‘for sale’. The kit even comes with advice for would-be attackers to price their fake products competitively, and provides a ‘victim information management’ panel where financial details can be harvested, as Check Point show.

Whether this kit, or others like it, will be a success remains to be seen. The research report contains no details on how many have been sold. In fact, since Check Point also managed to track down the Twitter account of the author of it, we would expect it to be taken down fairly soon if it can be proved – and this is a big if – [A]pache committed a crime in Brazil.

Whatever the outcome, however, the appearance of this phishing kit suggests that such advanced kits are likely to become a common commodity in coming years.

Protecting Yourself

Given this, what can you do to protect yourself?

If you are sick of reading about phishing in general, you are probably already aware of some of the strategies you can use to protect yourself, your data, and your business. Though kits like [A]pache’s are becoming more and more sophisticated, at a basic level the best way to avoid phishing attacks remains the same: learn how to spot a phishing email, learn how to spot a fake website, and consider running phishing simulations to put this knowledge to the test.  

Beyond this, you should also make sure that any sites you look after are hardened against phishing attacks. Whilst getting your own information stolen might be a personal disaster, being responsible for the theft of your customers’ data can bring greater consequences, possibly culminating in legal sanction. For that reason, learning how to protect your customers from phishing attacks is a necessity

At the most general level, however, what these new phishing kits teach us is that it pays to be ever vigilant against new attacks, even if we are bored of reading about the same old techniques.