New Advanced Phishing Kit Targets eCommerce

A new advanced phishing kit has surfaced, which provides miscreants with more than the usual one or two pages used to collect personal and financial data from victims, Check Point warns.

The phishing kit is currently being advertised on the Dark Web at $100-$300 and has been designed to target online users looking to shop at popular retailers, in an attempt to steal their personal details and credit card information.

Advertised by a certain [A]pache, the kit doesn’t only display a login page with a prompt for personal and financial information. Instead, it incorporates entire replicas of retail sites, Check Point’s security researchers have discovered.

Through the kit’s backend interface, cybercriminals can create convincing fake retail product pages, in addition to being able to manage their entire phishing campaign. The [A]pache Next Generation Advanced Phishing Kit is mainly targeting users in Brazil with convincing replicas of Walmart, Americanas, Ponto Frio, Casas Bahia, Submarino, Shoptime and Extra.

“By preparing a site with discounted products that appear to be sold by a legitimate retailer, the threat actor can then lure victims into making a ‘purchase’, at which point they surrender their personal and financial information,” Check Point notes.

Miscreants downloading [A]pache’s multi-functioning phishing kit don’t need advanced technical abilities to get started with their own cyber-attacks. The kit comes with installation instructions that allows any actor to launch a campaign fast.

Packing a full suite of tools to carry out an attack, the kit seems aimed at those with a good knowledge of Portuguese, but the security researchers discovered that some U.S. brands were targeted as well.

To trick victims, the attackers use domain names similar to those of the legitimate sites. Once the fake domains have been registered, the miscreants deploy the kit to a PHP and MySQL supported web host, and then log in to the admin panel to configure the campaign.

Actors can select an email address to receive notifications; to enter the URL of the phishing site; to choose to disable ‘Boleto Bancário’ (and force victims to enter their credit card data); to insert legitimate product URLs from the retailer’s website for automatic import; and to manage the phished victim information.

“[A]pache has made a simple user interface within the admin panel where the threat actor can paste the product URL of the legitimate retailer and the kit will automatically import the product information into the phishing page. They can then view their ‘products’ and change their original prices,” Check Point explains.

The phishing sites also claim to be offering competitive prices, in an attempt to motivate potential ‘customers’ into clicking on items and proceeding to checkout. However, prices aren’t reduced by much, as that would raise suspicions. Highly valued and desired items are listed first, to entice potential victims.

Not only does the fake website look exactly like the target site, but an automated post-code look-up function for added conviction is also included in the phishing kit. Thus, unsuspecting victims would easily reveal their payment details, including the card’s CVV, and the attacker can view the stolen details in the admin panel.

The victim is instead notified that the payment process has failed, so as to avoid arising suspicion when the purchased fake products do not arrive. The attackers would often take down the fake sites after successful attacks, to avoid being caught.

In one case, the researchers found a custom built ‘error 404’ site in use, which makes reference to a non-existent ‘Blue World Electronicos’ company. An English version of the page was found being used online on a few domains serving PayPal phishing scams.

Thus, the researchers discovered that the author of the Brazilian phishing kit appears to be behind kits targeting US victims as well. After finding the handle ‘Douglas Zedn’ in the control panel of the Walmart phishing site, the researchers managed to link it to the individual’s Steam account and then to their Twitter account.

“With some reports claiming that 91% of cyberattacks and data breaches begin with a phishing email, phishing remains a constant threat for stealing financial information, intellectual property, and even interfering with elections. For this reason, consumers and businesses alike must ensure they have the latest protections for safeguarding against such threats,” Check Point concludes.

Related: Analysis of 3,200 Phishing Kits Sheds Light on Attacker Tools and Techniques

Related: Phishing Poses Biggest Threat to Users: Google

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags: