Want CNET to notify you of price drops and the latest stories?

Quality, quantity of phishing kits on the rise

Kits, which can be had for as little as $30, are getting more sophisticated, says antiphishing group.

2 min read
The marketplace for phishing toolkits, which can allow technophobe criminals to quickly and easily set up spoofed versions of banking Web sites, is booming, with kits changing hands for as little as $30.

Although phishing kits are nothing new, in the past year their quantity and quality have increased dramatically, according to Dan Hubbard, vice president of security research for Websense and a representative of the Anti-Phishing Working Group.

Phishing kits "have been around for years, but the volume is one of the big changes," Hubbard said. "The kits available are better designed."

In particular, Hubbard noted that the kits were vaunting their immunity to common defensive techniques. These include detection by signature-based defensive programs, which look for the signature, or the "fingerprint," of known malicious software. Another is heuristics, which use pattern recognition to identify threats.

"The kit makers publish and test against signature detection as part of their advertising portfolio--'not detected by antivirus, not detected by heuristics, not detected by signatures.'"

Hubbard said that software developers were creating the kits in partnership with "traditional" criminals who want to start a new business in the online world.

"A lot of the traditional criminals are good at getting dollars back for the (stolen) credentials. You also have your security programmer guy--who probably isn't as good at monetizing these assets. The two working together make a scary combination," Hubbard said.

According to a Websense Security Trends Report published earlier this month, phishing toolkits sell for between $30 and $3,000, depending on their sophistication, ease of use and their ability to defeat antiphishing technologies. (Click here for a PDF.)

The more-expensive kits even come equipped with exploit codes that take advantage of newly discovered--or even unknown--browser vulnerabilities to make it easier to hook victims.

"When a new vulnerability comes out, they are on it right away, and in some cases they are actually either buying zero-day vulnerabilities and exploit code or creating them themselves," Hubbard said.

"They use exploit code within a browser to get something on your machine, which in turn looks for behaviors from the end user and then steals credentials."

Hubbard said that sites created by some common phishing kits were easy to spot because the kit used a similar design for every fraudulent site it created. However, with the more expensive kits, unique site designs are generated for each user.

"The obfuscation techniques they use are very difficult to detect with antivirus because JavaScript can be tuned, changed on the fly and every user can have a different version of the content," Hubbard said.

With a kit like "Webattacker, for example, every single person who installs it has their own personal version, and each user who connects to the Web site--depending on their browser--is served up with their own exploit code," Hubbard said. "There is no consistency with regards to heuristics."

Munir Kotadia of ZDNet Australia reported from Sydney.