Setting up a phishing site is not that hard as you might think.
There are quite a number of sites which hosts quite a substantial number of “phishing kits.” A phishing kit is a pre-configured collection of web pages (be it in HTML or PHP or any other formats) that looks flawlessly similar to known e-commerce, financial, and banking sites, such as eBay, PayPal, and Citibank, to name a few. These kits are used to conduct what we now call as phishing attacks. Because these kits look perfectly the same as legitimate sites, unsuspecting users are often enticed into giving their personal information.
We’ve been recently tipped off about the existence of such sites. Yes, we know that these site really do exist, but I’m talking about active and working URLs, where you can download such kits. You don’t encounter those kind of sites often.
Phishing kits for the following e-commerce sites were found in those sites.
That’s quite a long list! It is also important to note that for some of these kits, there exist several versions, indicating that these kits are indeed constantly kept up to date. These phishing kits also contain a README file in the package. This file comes handy when setting up a scam site.
Now, on to the recipe. To build a phishing site, you’ll need these “raw” materials.
It may seem that I am offering a tutorial on “How to be an evil person.” But as they often say: “To fight the enemy, you must know the enemy.”
There are quite a number of sites which hosts quite a substantial number of “phishing kits.” A phishing kit is a pre-configured collection of web pages (be it in HTML or PHP or any other formats) that looks flawlessly similar to known e-commerce, financial, and banking sites, such as eBay, PayPal, and Citibank, to name a few. These kits are used to conduct what we now call as phishing attacks. Because these kits look perfectly the same as legitimate sites, unsuspecting users are often enticed into giving their personal information.
We’ve been recently tipped off about the existence of such sites. Yes, we know that these site really do exist, but I’m talking about active and working URLs, where you can download such kits. You don’t encounter those kind of sites often.
Phishing kits for the following e-commerce sites were found in those sites.
- AOL
- Bank of America
- Bank of Ireland
- Bank of Israel
- Bank of Oklahoma
- Barclays
- Charter One
- Citibank
- Citizens Bank
- eBay
- eGold
- HSBC-US
- Halifax
- Kent Bank
- PNC Bank
- Paypal
- RBC Financial Group
- Square Trade
- TCF Bank
- USBank
- Visa
- Wells Fargo
- Western Union
That’s quite a long list! It is also important to note that for some of these kits, there exist several versions, indicating that these kits are indeed constantly kept up to date. These phishing kits also contain a README file in the package. This file comes handy when setting up a scam site.
Now, on to the recipe. To build a phishing site, you’ll need these “raw” materials.
- Phishing kit
- A web server
- An email address where the gathered info are to be sent
- A mass mailer program
- Setup the web server. The web server should have support for PHP, since most of the phishing kits are constructed using static HTML and PHP.
- With the kit, you already have a complete scam site. Setup the phishing kit to a desired virtual directory. The location of the phishing kit should be carefully considered, with a URL that will most likely to fool a user. But this step is most probably done by the kit. Some kits are ZIPed with a “suggested” directory structure.
- Register a domain name, using a name aimed to fool the user that they are accessing a legitimate site. Remember to use fake registration information. You don’t want to go to jail, do you? And never use your real credit card.
But if you don’t want to be bothered by domain registration, it’s fine. Just use the IP address of the web server. But that’s not really a convincing scam site, isn’t it? - At this point, you should already have a working phishing site. But you still need to configure where to send the gathered information. This is where you’ll need the third raw material, email address.
Phishing kits come with a configuration file, usually a PHP page. This configuration needs to be edited. This is where the email address is to be placed. Most phishing kits send gathered information to the indicated email address. Locate that configuration file in the kit, and edit as needed. Consult the README file if necessary. - With the phishing site all set up, what’s left to do is to advertise the site. The best way to advertise is, of course, spam. Most of the phishing kits we obtained already have sample phishing emails. This makes the job of a phisher a lot easier.
Advertising the phishing site is, surprisingly, quite easy. There are a variety of ways, I’ll cite two.- Mailer programs
This is perhaps the easiest option. There are numerous free mailer programs available. If such program cannot be found, you could always create one, or hire someone to create one for you.
An example of which is a mass mailer is the Mass E-Mailer, which can be obtained from
http://www.biegelscripts.com/index.php?a=6&t=2&p=0&l=0
This is a PHP, web-based mass emailer. One of the needed arguments is a text file, which contains all the email addresses to be spammed.
Why am I mentioning this specific product and not others? It is because a package of this mass mailer was found in one of the sites hosting phishing kits, indicating that it is used for phishing purposes.
Though mass mailers might do the job advertising the phishing site, it has one serious drawback: traceability. Since the spam emails all come from the same machine, it is very likely that the spamming run could be traced to the perpetrator. - Botnets
Botnets address the traceability drawback of mass emailers. Since the emails are sent by each individual bots, tracing back the perpetrator would definitely prove to be a much more difficult job. The bots provides the phisher the shield of anonimity. A phisher could also opt to use the individual bots as the host of the phishing site. This provides additional anonymity for the phisher; if the owner of the phishing server (the bot) is tracked, it is not the phishers butt that will be on fire.
However, for this to work, the phisher needs to have serious connections in the underground world.
- Mailer programs
It may seem that I am offering a tutorial on “How to be an evil person.” But as they often say: “To fight the enemy, you must know the enemy.”