AISA 2018: Hunting for phishing kits

It is now trivially easy for a threat actor to launch a phishing attack. Depending on the attacker's budget, kits range between $4 and $250 depending on the ability of the developer to do their own coding to customise the kit and how well the phishing kit can avoid being detected by security tools.  Attackers can buy lists of potentially vulnerable email addresses as well and find vulnerable servers to use to launch their malicious activity. There are crews buying up domains and setting up servers and campaigns. 

In short, there are hundreds of phishing kits being used by malicious actors.

During the recent Australian Cyber Conference, hosted by AISA, Qasim Khan - a cybersecurity specialist with one of the leading bank in New Zealand - discussed how he created a tool, called pkit finder, to search for phishing kits that have found their way onto servers. Using his tool, he has found about 3000 unique phishing kits an about a year. 

Khan's kit uses automated and manual processes to collect data. URLs are collected from ohishtank and openphish every hour while information from tweets and threat intelligence feeds is handled manually. Interesting indications of phishing are extracted and then used ti detect kits and add any unique finds into a database. 

In the time he's been using pkit finder, Khan has noticed a massive rise in the number of different kits available over the last five years, with the number of new kits still rising at an almost exponential rate. As well as looking at activity in the bank that employs him, Khan has been exploring other banks as many of the threat actors use the same kits when targeting different targets. He notes that many of the kits are designed to avoid detection by being invisible to many indexing robots. 

Why bother collecting phishing kits? Khan said that by collecting the kits it's possible to do better detection. Using that data, he says it's then possible to take a more proactive approach to to detection and take action before an attack is executed. 

The kits Khan is finding are often supported by support organisations that put many commercial software makers to shame. Hie said there are YouTube tutorials detailing how to configure and deploy the kits. That means an attack can be launched by almost anyone with enough money to purchase a kit and the time and motivation to launch an attack. 

Then next challenge Khan is facing stems from the sheer volume and velocity new kits are created and deployed. As a result, he has been forced to redesign elements of the application in order to optimise its performance. It now boasts an attractive dashboard rather than a largely text-based interface. And the tool can not identify the crews developing the kits. 

There are ongoing challenges said Khan. The bad guys are getting smarter and the take down process with ISPs is challenging. He said that even with evidence that an attack is likely, ISPs are reluctant to take down attacks preemptively and will only react when an attack is in progress. And even then, it can take up to three days to take down a site being used in an attack.

One of the unwanted side effects of the GDPR is that whois records are now shielded making it harder to identify attackers and the availability of cheap or free SSL certificates also helps attackers look like they are running legitimate services. 

Phishing is one of the most commonly used vectors employed by attackers. It is used to launch a variety of different attacks. Detecting them and proactively blocking their effects is a critical tool in the armoury of today's cybersecurity specialists. 

Tags #AISACyberCon18

Show Comments