The Loot
So far, you have learned from studying specific instances of phishing sites. It is time to move the discussion further along to the topic of phishing kits. In the following paragraphs, we will look at tools criminals use to quickly set up phishing sites. We will also provide an intriguing example illustrating the trust between phishers, or lack thereof.
Uncovering the Phishing Kits
It is straightforward to set up a website that looks like a legitimate website. All a phisher has to do is go to the legitimate website and download the HTML and JavaScript code and the image files. Once you have these resources, you can simply upload them onto a web server. However, you may need to tweak the website a bit to suit your style, and you will also need to set up a server-side script (such as update.php) to capture the victim’s submissions.
Wouldn’t it be great if you, the phisher, had ready-made phishing sites to deploy? Life would be so much easier. There would be no need to go around downloading HTML, JavaScript code, and image files, and then having to package them up each time. The most important tool in a phisher’s arsenal, the phishing kit, helps with exactly this.
Phishing kits are usually sold or bartered in the phishing underground. We were able to social-engineer a phisher via email to obtain the kits for free. Figure 7-14 shows some of the phishing kits we were able to capture.
Figure 7-14. Phishing kits
The loot consists of phishing kits for every imaginable institution. From ...
Get Hacking: The Next Generation now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
