Phishing involves sending emails that try to trick the recipients into taking a specific action, which could be to send sensitive data via email, open an infected email attachment, or click a link to a malicious website.
Phishing campaigns require little effort or skill to conduct. Lists of email addresses can easily be purchased on hacking forums or can be scraped from websites using widely available programs. Malware does not need to be developed, as this can be purchased through many malware-as-a-service operations. Phishing campaigns that direct individuals to a malicious website where credentials are harvested require those websites to be set up to trick users and capture credentials, but even that process is made simple with phishing kits.
Phishing kits can easily be purchased on hacking forums. These kits contain files that can be uploaded to compromised or owned websites that will collect and transmit credentials when they are entered. Phishing kits are usually sold on hacking forums for a one-time payment and typically contain everything required to start conducting phishing campaigns, including scripts, HTML pages, images, and often phishing email templates. Phishing kits allow individuals without much knowledge of how to conduct a phishing campaign to easily start running their own campaigns.
New Phishing Kit Being Used in Extensive Series of Phishing Campaigns
There are many phishing kits currently available on hacking forums, but a new one has recently been discovered that appears to have been developed using at least six other phishing kits. The new phishing kit, which Microsoft calls TodayZoo, combines the best features of other available phishing kits and is believed to have been developed by an individual who has decided to get into the phishing kit market by plagiarizing others.
The TodayZoo kit has been active since at least December 2020 and is known to have been used in an extensive series of phishing campaigns to steal Microsoft 365 credentials. The TodayZoo phishing campaigns detected so far impersonate Microsoft, with the emails using lures such as password resets, and fake notifications about faxes and shared scanned documents.
The messages direct the recipients to a webpage hosting the phishing kit that similarly impersonates Microsoft, with victims told they must log in with their Microsoft 365 credentials to either reset their password or view the fake faxes or documents. If credentials are entered, the phishing kit captures the information and transmits it to the person running the campaign.
A large part of the TodayZoo phishing kit has been taken from the DanceVida kit, with Microsoft’s analysis revealing it also includes code from the Botssoft, FLCFood, Office-RD117, WikiRed, and Zenfo phishing kits.
So not only are phishing kits purchased for conducting campaigns, but those also kits themselves can be copied and customized and used by individuals to launch their own phishing-as-a-service operations.
Phishing Prevention Requires a Defense in Depth Approach
Phishing kits lower the bar for conducting phishing campaigns, and along with malware-as-a-service and ransomware-as-a-service offerings, allow low-level threat actors to start conducting their own campaigns with ease. These services are fueling the increase in cyberattacks on businesses. Fortunately, there are low-cost cybersecurity solutions that businesses can use to block these phishing and malware campaigns.
Unfortunately, there is no silver bullet. It is no longer sufficient given the level of the threat to rely on one method of blocking attacks. A defense-in-depth approach is required, which means implementing multiple layers of protection. If one of those layers fails to block a threat, others are there to provide protection.
Phishing protection should start with a spam filter. Spam filters conduct a range of checks on all incoming emails and will block more than 99% of spam and phishing emails. TitanHQ’s email security solution, SpamTitan, has been independently tested and shown to block in excess of 99.9% of spam and phishing emails. SpamTitan also includes dual anti-virus engines to detect malicious attachments, and a sandbox to subject attachments that pass AV controls to an in-depth analysis. SpamTitan uses blacklists of malicious IP addresses, performs a range of checks on the message body and headers, and incorporates machine learning technology to detect messages that deviate from standard messages ensuring the spam filter improves over time.
A web filter is another important security measure that should be included in a defense-in-depth strategy to block phishing and malware attacks. A web filter works in tandem with a spam filter but blocks the web component of the attacks. When a user clicks a link in an email that directs them to a phishing website, that attempt is blocked. A web filter also allows users to block certain file downloads from the Internet, such as those commonly associated with malware.
Antivirus software should be installed on all endpoints as additional protection against malicious file downloads, and security awareness training should be regularly provided to the workforce. In the event of credentials being obtained in a phishing attack, multifactor authentication can prevent those credentials from being used to gain access to accounts. With these measures in place, businesses will be well protected.
For further information on spam filtering, web filtering, and to find out more about SpamTitan and WebTitan, give the TitanHQ team a call today. Both solutions are available on a 100% free trial to allow you to evaluate the products in your own environment to see how effective they are and how easy they are to use before committing to a purchase.