Group-IB, a global threat hunting and adversary-centric cyber intelligence company, has found that cybercriminals increasingly often use legitimate services such as Google Forms and Telegram to obtain user data stolen during phishing attacks. Alternative ways to obtain data help cybercriminals keep it safe and start using the information immediately. In addition, ready-to-go platforms that automate phishing and which are available on the darknet also have Telegram bots at their core, with admin panel that is used to manage the entire process of the phishing attack and keep financial records linked to them. Such platforms are distributed under the cybercrime-as-a-service model, which subsequently leads to more groups conducting attacks. They also widen the scope of cybercriminal activity.
Group-IB’s Computer Emergency Response Team (CERT-GIB) analyzed the tools used to create phishing web pages (phishing kits) and discovered that, in the past year, they were most often used to generate web pages mimicking online services (online tools to view documents, online shopping, streaming services, etc.), email clients, and — traditionally — financial organizations. Last year, Group-IB identified phishing kits targeting over 260 unique brands.
A phishing kit is a toolset that helps create and operate phishing web pages that mimic a specific company or even several at once. Phishing kits are usually sold on underground forums on the darknet. For cybercriminals who do not have strong coding skills, phishing kits are a way to effortlessly build infrastructure for large-scale phishing campaigns and quickly resume an operation if it’s blocked. By extracting phishing kits, cybersecurity analysts can identify the mechanism used to carry out the phishing attack and figure out where the stolen data is sent. In addition, a thorough examination of phishing kits helps analysts detect digital traces that might lead to the developers of the phishing kit.
In 2020, as in the previous year, the main target for cybercriminals were online services (30.7%). By stealing user account credentials, hackers gain access to the data of linked bank cards. Email services became less appealing last year, with the share of phishing kits targeting them dropping to 22.8%. Financial institutions turned out to be the third favorite among scammers, with their share totaling above 20%. In 2020, the brands most often exploited in phishing kits were Microsoft, PayPal, Google, and Yahoo.
To obtain data of deceived users, cybercriminals mainly resort to free email services to which all the info harvested on phishing websites is automatically sent. Free emails make up 66% of the total number of emails found in phishing kits. Most email accounts detected were created using Gmail and Yandex.
Group-IB analysts divide alternative ways for cybercriminals to obtain data into two major categories: local (when the data is stored in a file located on the phishing resource itself) and remote (when it is sent to a different server). Cybercriminals actively use legitimate services to obtain compromised data. A new trend recorded over the reporting period was the use of Google Forms and private Telegram bots to gather stolen user data.
In total, alternative methods of obtaining compromised data make up about 6%. CERT-GIB analysts predict that the share of alternative ways for obtaining data will continue to rise, with Telegram showing the greatest growth on account of being user-friendly and anonymous.
The functionality of phishing kits is not limited to generating fake web pages to steal user data. Some upload malicious files to the victim’s device. Sellers of phishing kits sometimes turn out to be light-fingered and deceive their own buyers, attempting to make money off them twice. Apart from selling the malicious tool they created, they may also have their eyes on the data stolen with its help. By using a special script embedded in the text body of the phishing kit, they direct the stream of stolen user data to their own network hosts or intercept access to their customers’ hosting service.
Phishing kits have changed the rules of the game in this segment of the fight against cybercrime. In the past, cybercriminals stopped their campaigns after the fraudulent resources had been blocked and quickly switched to other brands. Today, they automate their attacks and instantly replace the blocked phishing websites with new web pages. In turn, automating such attacks leads to the spread of more complex social engineering used in large-scale attacks rather than separate incidents, as used to be the case. This keeps one of the oldest cybercriminal professions afloat.
CERT-GIB Deputy Head
The traditional approach consisting in monitoring and blocking of phishing websites is not enough today, companies have to identify all the elements of the attackers’ infrastructure and block the entire network of fraudulent resources rather than separate phishing pages. Group-IB Threat Intelligence system analyzes phishing attacks and attributes them to a specific cybercriminal group, identifying all the web pages that the latter created. Group-IB Threat Intelligence & Attribution system has accumulated an extensive database of phishing kits, which enables the company to fight against phishing targeting a specific brand. This database is being enriched on a continuous basis: as soon as TI&A detects a phishing website, it scans the attackers’ entire infrastructure to, among other things, extract the phishing kit and determine what data was compromised and where it was sent to.
