In 2021, phishing attacks accelerated. By the end of Q2, more than 73% of advanced cyber threat attempts involved phishing; specifically, phishing for login credentials. When cyber attackers obtain login credentials, they can inflict extensive damage on organizations. This can take the form of network disruptions, ransomware attacks and intellectual property theft, all of which can lead to productivity and profit losses.

To prevent credential theft, many organizations and employees have adopted multi-factor authentication (MFA). However, cyber criminals are continually testing out means of circumnavigating MFA, as evidenced by the recent phishing kit developments.

What are phishing kits?

Phishing kits contain tools that enable hackers to creatively develop cyber attack campaigns, which can range from credit card theft dupes to those that steal social security numbers. Among the most well-known phishing kits are those that target customers of Amazon.com and Chase Bank.

Phishing kits are available on popular and easily accessible underground cyber crime sites. Numerous types of phishing kits exist. They can run the gamut from simple open-source kits with human readable code and simple functionality to sophisticated kits that utilize numerous layers of obfuscation with built-in modules that allow for particularly sneaky execution.

What’s happening

The latest phishing kits are lauded for their ability to steal ‘session cookies.’ These kits use a transparent reverse proxy (TRP) to present an authentic website to a potential victim. The victim retains the illusion that he/she is logging into a safe online portal. In reality, cookies then save the information, which hackers can exploit at a later point in time.

Three popular TRP kits

Recently, three multi-factor authentication-focused phishing kits have made their way around the web.

  1. Modlishka. This phishing kit has existed since late 2018. With this kit, cyber attackers can only phish a single site at a time. The kit leverages a command line interface and has a GUI-based mechanism for stealing credentials and session information.“Modlishka also integrates Let’s Encrypt so it can make the fake domain landing page just a bit more believable by encrypting the traffic and providing the little padlock in the web bar,” stated researchers. “[It’s also] capable of harvesting a victim’s session even when tech like Duo’s push notification authenticator is used.”
  2. Muraena/Necrobrowser. Released in 2019, this phishing kit contains two components. The first component, known as Muraena, runs server-side and uses a crawler to scan the target site, ensuring that it can effectively rewrite traffic as needed without alerting the victim. It harvests a victim’s credentials and session cookie, after which it deploys Necrobrowser, the second element included within the kit. “Necrobrowser is a headless browser, which is a browser without a GUI used for automation, that leverages the stolen session cookies to log into the target site and do things such as change passwords, disable Google Workspace notifications, dump emails, change SSH session keys in GitHub and download all code repositories,” say researchers.
  3. Evilginx2. Originally designed by a researcher as a pen-testing too, this phishing kit includes pre-installed ‘phishlets,’ that are yaml configuration files that the engine uses to configure the proxies to the target site. At the end of the day, using ‘phishlets’ allows cyber criminals to attack several brands simultaneously.

Phishing kits for sale

Phishing kits for sale, concept art that includes fish
Prevent phishing within your organization, concept art.

These kits are easy to obtain, easy to deploy, and have proven effective in evading detection technologies. They’re not easy to detect.

Black hat developers continually evolve phishing kits as organizations adopt new security processes. In turn, this makes securing against phishing kits (in their many forms) a challenging operation.

How to prepare

Ensure that your organization minimizes security blind spots. Defend against phishing. Organizations can accomplish this by combining multi-factor authentication with technical controls that include phishing simulations, email security, network firewalls and more.

In other words, read this phishing prevention whitepaper. Finally, see CyberTalk.org’s past phishing coverage here.


Preview Check Point researchers’ past work on phishing kits: 

In 2018, next generation phishing kits popped up on the Dark Net. And unlike prior kits, which were primarily composed of one or two pages specifically designed to collect personal or financial data, the new phishing kits provided additional features with which to create a fake site. 

Created by a character known as ‘[A]pache’, it yielded persons with limited technical knowledge a means of managing their own phishing campaigns in order to collect personal and financial information belonging to ordinary consumers. 

See how [A]pache’s phishing kit worked, and how it was used to execute internet-based scam operations. 

Phishing kit operations

[A]pache massively simplified phishing for those with minimal technical knowledge. A hacker needed only to download a multi-functional phishing kit and to follow the installation instructions. In what seemed like no time at all, the hacker would be able to launch an effective phishing campaign. 

Although these phishing kits cost a bit more than the average phishing kit, hackers could use a comprehensive suite of tools in order to initiate a threat. Tools included a complete backend interface. This could help create fictitious retail product pages, and help hackers manage campaigns in entirety. 

Retail targets

[A]pache’s phishing kit allowed hackers to imitate brands like Walmart, Americanas, Casas Bahia and Shoptime. The majority of the retailers catered towards a Brazilian audience, and similarly, the phishing kit appeared aimed at those with strong skills in Portuguese. A few kits did appear targeted for a US-based audience. 

Phishing Kit Configuration

As to give the illusion that victims were shopping at the authentic sites, the hackers using these phishing kits needed a domain that appeared similar to that of the targeted brand. After registering a fake domain, hackers deployed kits to a PHP and MySQL supported web host. Afterwards, they could see access the kit’s admin panel and start to configure their ideal campaigns. 

Hackers using these phishing kits were able to add real products (or so it seemed) to fake sites by using a feature that automatically imported genuine product information into the phishing page. As with any shop, hackers aimed to make their products’ prices look attractive to consumers. In other words, consumers would see deals and inherently want to click.  However, hackers did have to be careful in not slashing prices to the point where consumers might think twice. 

For more information about next generation kits, as described by Check Point research experts, check out this blog post