Skip navigation
Duo Labs

Phish in a Barrel: Hunting and Analyzing Phishing Kits at Scale

Phishing is a business, and business is booming.

To make phishing campaigns more efficient, attackers will often reuse their phishing sites across multiple hosts by bundling the site resources into a phishing kit. These kits are uploaded to a (typically compromised) host, the files in the kit are extracted, and phishing emails are sent pointing to the new phishing site. Sometimes, however, the attackers get lazy and leave the phishing kits behind, allowing anyone—including security researchers—to download them.

How Phishing Kits Work

In a technical paper released today, Duo Labs details the results of a month-long experiment in which we hunted and analyzed over 3,200 unique phishing kits. In addition to the technical paper, we’re open-sourcing the code we wrote to track down the phishing kits.

What We Found

Network Graph Click to view larger.

Over the course of a month, using community-driven URL feeds from Phishtank and OpenPhish, we found 3,200 unique phishing kits across 66,000 URLs. A high-level summary of our analysis is summarized below:

  • We found many phishing kits designed to evade detection through the use of .htaccess files and PHP scripts that block connections from threat intelligence companies based on attributes like the source IP address ranges, the HTTP referrer or the user-agent header.

  • We parsed each phishing kit for email addresses indicating both where the credentials are being sent as well as who may have originally created the phishing kit. We tracked individual attackers across multiple phishing campaigns, including one actor whose email address was found in over 115 unique phishing kits.

  • We tracked unique phishing kits across multiple hosts. We found multiple kits that were seen on as many as 30 different hosts, indicating actors launching multiple phishing campaigns with the same kit.

  • We identified over 200 instances of backdoored phishing kits. This shows that attackers who are selling or distributing these phishing kits to other criminals are actively backdooring them to give themselves access to the compromised hosts. Clearly there's no honor among thieves!

  • Our analysis revealed that phishing kits were most commonly found on compromised sites running Wordpress, and 16% of the time they were found on sites being served over HTTPS.

Get the Paper

This blog post only scratches the surface of the research we performed. Our technical paper Phish in a Barrel: Hunting and Analyzing Phishing Kits at Scale provides the full detail of the experiment, showing how we found, stored and analyzed phishing kits at scale.

The goal of our research is to offer a glimpse into the methods and tools attackers use to make their operations efficient. As part of these results, we’re open-sourcing the code we used to collect phishing kits. You can find the code on Github.

Conclusion

As a security practitioner, you can use the same techniques we describe in the technical paper to track down phishing kits targeting your organization, as well as to determine what information is being stolen and where the information is being sent.

We’d like to thank both OpenDNS (operators of Phishtank) and OpenPhish for their excellent community-driven feeds. This work wouldn’t be possible without the great services they provide to the security industry.

It’s important to note that all of the phishing kits we analyzed aimed to steal credentials for later reuse. One of the best things defenders can do to reduce the impact of stolen credentials is to set up multi-factor authentication (MFA) for every external-facing application used by your organization. Additionally, you can use the free Duo Insight phishing tool to test your organization’s exposure to phishing attacks.