Lead image for kaspersy info on phishing kits.
Image: iStock/jauhari1

Phishing is no new threat. Yet it is still targeting millions of email boxes every day and stealing credentials from unsuspecting victims.

Phishing pages were historically used mostly for targeting banking credentials or credit card information. These days, while this kind of phishing still exists, other phishing fraud targets professional email addresses or different online services credentials.

For a phishing page to be efficient, it needs to be a perfect copy of the targeted page, yet modified to send data to the fraudster. This requires web development skills that some cybercriminals do not have. Therefore, they are turning to an easier way to get what they need: phishing kits.

What are phishing kits?

Phishing kits are complete packages of manuals and documentation that are sold or provided to cybercriminals to help them perform phishing scams. Kaspersky recently published research about the tools, documenting the depth and usability of the products.

The most basic offer consists of a single web page and a script to store the stolen data locally (i.e., in a hidden folder) or send the data to a remote location via email or third-party communication software, like Telegram.

More advanced phishing kits contain a control center to tune the functionalities of the phishing pages, such as by specifying how they will receive data, or performing filtering. Some kits also allow to criminals to generate phishing pages that target users from different countries (Figure A).

Figure A

Figure A: Part of a script generating phishing sentences in French.
Part of a script generating phishing sentences in French language. Source: Kaspersky

In addition, some kits provide scripts for sending out messages via popular messaging software or email, all containing links to the phishing pages.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Phishing kits can also have dynamically generated content. Some links received in phishing emails contain the email address of the target, often encrypted, that automatically fill the email address field of the phishing page, making it even more realistic for the user. In addition, icons from the targeted domain can be fetched by scripts and displayed to add visual trust to the page (Figure B).

Figure B

Figure B: Dynamically generated phishing page.
Dynamically generated phishing page showing a logo and email address. Source: Kaspersky

Still another technique consists of inserting an iframe in the page. The iframe will download the front page of the legitimate website, while a script will pop phishing content over it (Figure C).

Figure C

Figure C: Legitimate website in the background of a phishing page.
Legitimate website in the background of a phishing page. Source: Kaspersky

 SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)

Why phishing kits?

Phishing kits make it easier for cybercriminals without technical knowledge to launch phishing campaigns. Yet another reason lies in the fact that phishing pages are frequently detected after a few hours of existing and are quickly shut down by providers. The hosting providers are often alerted by internet users who receive phishing emails and pull the phishing page down as soon as possible. Phishing kits make it possible to host multiple copies of phishing pages faster, enabling the fraud to stay up for longer.

Finally, some phishing kits provide anti-detection systems. They might be configured to refuse connections from known bots belonging to security or anti-phishing companies, or search engines. Once indexed by a search engine, a phishing page is generally taken down or blocked faster.

Countermeasures used by some kits might also be using geolocation. A phishing page targeting one language should not be opened by someone using another language. And some phishing kits are using slight or heavy obfuscation to avoid being detected by automated anti-phishing solutions.

The phishing kits’ underground market

Phishing kits are being sold in underground cybercrime marketplaces or shared via private fraudsters forums or Telegram channels. Prices vary greatly depending on the quality of the phishing pages and scripts, and their level of sophistication. Kaspersky gives the example of a Telegram channel selling phishing kits between $50 and $900 USD (Figure D).

Figure D

Figure D: Prices for phishing kits.
Prices for phishing kits as exposed on a Telegram channel. Source: Kaspersky

Phishing kits might also be sold as a phishing-as-a-service (PHaaS) package. These consist of a wider range of services, from the creation of fake websites for phishing to launching targeted data-theft campaigns.

Kaspersky provides the example of a service for stealing login credentials from Microsoft accounts by using an Excel scam page, guaranteed to be tested on all devices types (Figure E), sold for $40 USD.

Figure E

Figure E: An Excel phishing kit sold on the underground market.
An Excel phishing kit sold on the underground market. Source: Kaspersky

Phishing kits might also be found for free on internet. With a quick search, TechRepublic was able to find and download dozens of different phishing kits from the internet (Figure F).

Figure F

Figure F: List of zip files containing full phishing kits.
List of zip files containing full phishing kits found on the internet.

While it is fairly easy to find such kits on the internet, cybercriminals considering this approach should be aware that most of these free kits are backdoored. The developers of the phishing kits often add a backdoor in their code, obfuscated, which will silently send all the stolen data to themselves, in addition to the people using the phishing kit.

SEE: Cyber threat intelligence software: How to choose the right CTI tools for your business (TechRepublic)


In 2021, Kaspersky detected 469 individual phishing kits, allowing it to block 1.2 million phishing websites. The most frequently detected phishing companies or brands targeted in 2021, according to Kaspersky, have been Facebook, Adidas, Amazon, Dutch banking group ING and German bank Sparkasse.

In addition to using phishing pages, cybercriminals often register domain names that are similar to the legitimate domain of the brand they are targeting, or that contains the brand name. This trick is known as combosquatting (Figure G).

Figure G

phishing kit figure g.
Combosquatting example: A Facebook phishing page on a domain name containing the brand name. Source: Kaspersky

Recommendations for phishing kit defense

  • Do not click on links or attached files contained in emails coming from unknown sources, or in any communication software like Telegram, WhatsApp, etc.
  • If an email seems to come from a colleague but has somehow unusual characteristics (email footer missing, spelling mistakes, etc.) call the colleague and verify that they were indeed the sender and that you can click on the link or open the attached file safely.
  • Make sure the URL the link leads to is correct and legitimate.
  • Be aware that SMS on mobile phones might also contain links to phishing pages. Do not click on any link coming from an unknown source, or even from a seemingly legitimate one if you did not expect an SMS from it.
  • If you get a message that seems legitimate from an entity, go to its website and log in rather than using the link provided in the email.
  • Be aware that browsing a website using HTTPS does not mean it is safe. More and more cybercriminals use free SSL certificates for their phishing domains.
  • Use anti-phishing solutions to protect your browser from phishing websites.
  • Report phishing websites you might detect to your IT department or even to anti-phishing organizations. This will help everyone on the internet since it is generally quickly addressed by blocking software.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday