Phishing kits are the back end components to a phishing attack and are often designed to make it easier to deploy a phishing page.

These kits are typically bundled in compressed files, such as .ziparchives, and contain the entire file infrastructure needed to operate a phishing page. Once a kit is uploaded to a compromised website or hosting environment, the attacker can simply unzip it and launch operational phishing pages within a short period of time.

In some cases, attackers create phishing kits to sell to other attackers. They increase the value of these phishing kits by adding features that make the phishing page(s) easier to manage, and employ countermeasures to prevent detection from automated bots like Phishtank or other unintended visitors.

Phishing for Chase Victims

During a recent investigation, a phishing kit was found on a compromised website. Named inconspicuously as account-verification.zip, the archive had already been unzipped by the attacker to deploy phishing pages targeting Chase bank customers.

As is the case with a large majority of phishing campaigns, victims were directed to these pages through a phishing email containing social engineering text and a link to the phishing page URL.

Phishing Behavior

The phishing kit generates four pages used to steal data from victims. The initial part of the workflow starts with a landing page that appears to be the Chase internet banking login page.

Spox Chase Overview

Immediately after a victim attempts to sign in on this initial Chase login page, they are redirected to a page warning that the user’s device has not been recognized and additional authentication will be necessary:

Spox Chase Login

Clicking Next and navigating further through the workflow leads the victim to a series of phishing pages asking for the victim’s email account login information, personal data, and payment card data.

Spox Chase Process

Phishing pages which harvest personal information and payment card details.

As soon as the victim completes this fake account verification sequence, an email is sent to the attacker with the stolen data from each phishing page — a total of four emails.

Administrative Backend

Included in this phishing kit is an admin panel backend that allows the attacker to change some of the phishing page settings, including the email address used to collect the stolen data and the various anti-bot countermeasures.

These settings are coded as variables within the phishing kit’s configuration file /admin/YOUR-CONFIG.php:

$show_start_page = "yes";
$show_email_access = "yes";
$show_contact_information = "yes";
$show_credit_card = "yes";
$show_success_page = "yes";
$anti_bot = "yes";

This backend also acts as a GUI repository for the stolen data which is stored in .txt files on the server hosting the phishing pages.

These .txt files exist as a sort of backup. In the event that anything should happen on the server that might prevent the stolen data from reaching the attacker’s configured email address, the phisher will still be able to access the stolen data from the web server.

Spox Backend

Evasion Techniques & Bot Countermeasures

For every phishing page, multiple bot countermeasure files are loaded via the PHP include function at the beginning of the PHP code:

include'Spox/Anti/IP-BlackList.php';  
include'Spox/Anti/Bot-Crawler.php';
include'Spox/Anti/Bot-Spox.php';
include'Spox/Anti/blacklist.php';
include'Spox/Anti/new.php';
include'Spox/Functions/Fuck-you.php';
include'Spox/Anti/Dila_DZ.php';

All of these files are used to filter out requests to the phishing pages. These requests are filtered based on multiple factors such as IP address ranges, IP address hostnames, user-agents, and other browser fingerprinting.

If one of these filters is triggered, the phishing kit will deliver a 404 result to the requesting device. This essentially makes it appear to the bot as if no phishing page had been set up at all.

For example, if the hostname or rDNS of a requesting device contains a list of banned words, then it is served a 404 result — it is automatically assumed the request is not from an intended victim. The 404 result is served by the PHP script through the use of the header function.

 $SPOX_HOSTNAME = gethostbyaddr($_SERVER['REMOTE_ADDR']);
  $blocked_words = array("drweb","Dr.Web","hostinger","scanurl","above","google","facebook","softlayer","amazonaws","cyveillance","phishtank","dreamhost","netpilot","calyxinstitute","tor-exit","msnbot","p3pwgdsn","netcraft","trendmicro","ebay","paypal","torservers","messagelabs","sucuri.net","crawler","googlebot","Googlebot-Video","bingbot"[...redacted...]);

     foreach($blocked_words as $word) {
   	if (substr_count($SPOX_HOSTNAME, $word) > 0) {
      	$content = "#> ".$_SERVER['HTTP_USER_AGENT']." [ Bad word ] \r\n";
    	$save=fopen("../../bots.txt","a+");
    	fwrite($save,$content);
    	fclose($save);
  	header("HTTP/1.0 404 Not Found");exit();

You can see the various words that they ban include common crawlers that may otherwise detect the phishing page

The PHP script also records details about the request (user-agent) and the reason for serving the 404 request block to the file bots.txt. This bot.txt text file also stores block requests that occur for other reasons, such as a request originating from any IP addresses defined and “blacklisted” within this phishing kit’s IP-BlackList.php file.

Phishing kit author

Unfortunately, phishing continues to be a profitable cybercrime for attackers. It’s not hard to find the stolen logins being offered for sale or otherwise made available for fraudulent use.

Below is an example of someone offering a sample of data that was stolen using this same Spox Chase phishing kit.

Spox Telegram

To attract more customers and to “support” existing ones, phishing kit authors are adding convenience features, like backend website panels, to help manage the phishing content and other settings. These types of features make it much easier for people with little experience to launch a phishing campaign, however the authors do charge a fee for these additional components.

The author of this Chase phishing kit, Spox, charges $200 USD for the latest version of the phishing kit.

Market0day

By offering the kit without actually deploying the kit on compromised environments, the phishing kit author is able mitigate some of the risks associated with performing fraudulent transactions with phished data. Instead, they just sell the tool to others looking to perform risky fraudulent activities.

In fact, while writing this post I discovered that Spox had released a new PayPal version of the phishing kit, announcing it to over 3,000 subscribers.

Telegram2

account-verification/login.php
account-verification/thanks.php
account-verification/one_time.txt
account-verification/overview.php
account-verification/credit_verification.php
account-verification/admin/login.php
account-verification/admin/setting.php
account-verification/admin/info.php
account-verification/admin/logout.php
account-verification/admin/YOUR-CONFIG.php
account-verification/admin/admin.zip
account-verification/admin/index.php
account-verification/admin/files/admin/css/custom.css
account-verification/admin/files/admin/css/fontawesome-all.min.css
account-verification/admin/files/admin/css/all.min248f.css
account-verification/admin/files/admin/fonts/glyphicons-halflings-regulard41d.eot
account-verification/admin/files/admin/fonts/glyphicons-halflings-regular.woff2
account-verification/admin/files/admin/fonts/glyphicons-halflings-regular.woff
account-verification/admin/files/admin/fonts/glyphicons-halflings-regular.ttf
account-verification/admin/files/admin/fonts/glyphicons-halflings-regular.svg
account-verification/admin/files/admin/fonts/glyphicons-halflings-regular.eot
account-verification/admin/files/admin/webfonts/fa-brands-400.woff2
account-verification/admin/files/admin/webfonts/fa-brands-400.ttf
account-verification/admin/files/admin/webfonts/fa-solid-900.eot
account-verification/admin/files/admin/webfonts/fa-brands-400.woff
account-verification/admin/files/admin/webfonts/fa-regular-400.woff
account-verification/admin/files/admin/webfonts/fa-light-300.woff
account-verification/admin/files/admin/webfonts/fa-brands-400d41d.eot
account-verification/admin/files/admin/webfonts/fa-solid-900d41d.eot
account-verification/admin/files/admin/webfonts/fa-regular-400.woff2
account-verification/admin/files/admin/webfonts/fa-regular-400.eot
account-verification/admin/files/admin/webfonts/fa-light-300.woff2
account-verification/admin/files/admin/webfonts/fa-solid-900.woff
account-verification/admin/files/admin/webfonts/fa-regular-400d41d.eot
account-verification/admin/files/admin/webfonts/fa-light-300d41d.eot
account-verification/admin/files/admin/webfonts/fa-brands-400.svg
account-verification/admin/files/admin/webfonts/fa-light-300.eot
account-verification/admin/files/admin/webfonts/fa-solid-900.woff2
account-verification/admin/files/admin/webfonts/fa-regular-400.ttf
account-verification/admin/files/admin/webfonts/fa-solid-900.ttf
account-verification/admin/files/admin/webfonts/fa-brands-400.eot
account-verification/admin/files/admin/webfonts/fa-light-300.ttf
account-verification/admin/files/admin/admin.zip
account-verification/admin/files/admin/favicon.png
account-verification/admin/files/admin/index.php
account-verification/email_identification.php
account-verification/index.php
account-verification/personal_details.php
account-verification/visit_log.txt
account-verification/robots.txt
account-verification/Spox/Chase_Result/.htaccess
account-verification/Spox/Chase_Result/login.txt
account-verification/Spox/Chase_Result/at0s_cc.txt
account-verification/Spox/Chase_Result/billing.txt
account-verification/Spox/Chase_Result/total_cc_view.txt
account-verification/Spox/Chase_Result/cc.txt
account-verification/Spox/Chase_Result/total_login_view.txt
account-verification/Spox/Chase_Result/index.php
account-verification/Spox/Chase_Result/access.txt
account-verification/Spox/Chase_Result/chase_result.txt
account-verification/Spox/Chase_Result/total_billing_view.txt
account-verification/Spox/Chase_Result/total_email_access_view.txt
account-verification/Spox/Chase_Result/chase_login_at0s.txt
account-verification/Spox/Chase_Result/at0s_chase_details.txt
account-verification/Spox/Functions/.htaccess
account-verification/Spox/Functions/index.php
account-verification/Spox/Functions/Fuck-you.php
account-verification/Spox/Files/.htaccess
account-verification/Spox/Files/img/Icon1_DAO.png
account-verification/Spox/Files/img/.htaccess
account-verification/Spox/Files/img/chase-touch-icon-76x76.png
account-verification/Spox/Files/img/wordmark-white.svg
account-verification/Spox/Files/img/background.tablet.night.12.jpeg
account-verification/Spox/Files/img/success.gif
account-verification/Spox/Files/img/background.desktop.night.12.jpeg
account-verification/Spox/Files/img/Icon2_DAO.png
account-verification/Spox/Files/img/loading.gif
account-verification/Spox/Files/img/Icon3_DAO.png
account-verification/Spox/Files/img/chase-touch-icon.png
account-verification/Spox/Files/img/index.php
account-verification/Spox/Files/img/chase-touch-icon-152x152.png
account-verification/Spox/Files/img/chase-touch-icon-120x120.png
account-verification/Spox/Files/img/dcefont.svg
account-verification/Spox/Files/img/chasefavicon.ico
account-verification/Spox/Files/img/background.mobile.night.12.jpeg
account-verification/Spox/Files/css/dashboard.css
account-verification/Spox/Files/css/login.css
account-verification/Spox/Files/css/.htaccess
account-verification/Spox/Files/css/blue-ui2.css
account-verification/Spox/Files/css/blue-ui.css
account-verification/Spox/Files/css/overview.css
account-verification/Spox/Files/css/fonts/opensans-semibold.svg
account-verification/Spox/Files/css/fonts/opensans-light.svg
account-verification/Spox/Files/css/fonts/opensans-regular.woff
account-verification/Spox/Files/css/fonts/videoplayer.svg
account-verification/Spox/Files/css/fonts/dcefont.ttf
account-verification/Spox/Files/css/fonts/.htaccess
account-verification/Spox/Files/css/fonts/opensans-regular.eot
account-verification/Spox/Files/css/fonts/dcefont.eot
account-verification/Spox/Files/css/fonts/opensans-bold.woff
account-verification/Spox/Files/css/fonts/opensans-semibold.woff
account-verification/Spox/Files/css/fonts/opensans-regular.ttf
account-verification/Spox/Files/css/fonts/videoplayer.woff
account-verification/Spox/Files/css/fonts/video-icon.woff
account-verification/Spox/Files/css/fonts/video-icon.eot
account-verification/Spox/Files/css/fonts/videoplayer.ttf
account-verification/Spox/Files/css/fonts/customerSurveyHeader.svg
account-verification/Spox/Files/css/fonts/opensans-semibold.ttf
account-verification/Spox/Files/css/fonts/video-icon.svg
account-verification/Spox/Files/css/fonts/dcefont.woff
account-verification/Spox/Files/css/fonts/opensans-light.woff
account-verification/Spox/Files/css/fonts/video-icon.ttf
account-verification/Spox/Files/css/fonts/videoplayer.eot
account-verification/Spox/Files/css/fonts/opensans-semibold.eot
account-verification/Spox/Files/css/fonts/index.php
account-verification/Spox/Files/css/fonts/opensans-light.ttf
account-verification/Spox/Files/css/fonts/opensans-regular.svg
account-verification/Spox/Files/css/fonts/dcefont.svg
account-verification/Spox/Files/css/external.css
account-verification/Spox/Files/css/index.php
account-verification/Spox/Files/css/logon.css
account-verification/Spox/Files/css/origination.css
account-verification/Spox/Files/index.php
account-verification/Spox/index.php
account-verification/Spox/Anti/Dila_DZ.php
account-verification/Spox/Anti/.htaccess
account-verification/Spox/Anti/IP-BlackList.php
account-verification/Spox/Anti/blacklist.php
account-verification/Spox/Anti/index.php
account-verification/Spox/Anti/new.php
account-verification/Spox/Anti/Bot-Spox.php
account-verification/Spox/Anti/Bot-Crawler.php
account-verification/Spox/Mail/.htaccess
account-verification/Spox/Mail/error_log
account-verification/Spox/Mail/Mail1.php
account-verification/Spox/Mail/index.php
account-verification/Spox/Mail/Mail2.php
account-verification/Spox/Mail/Mail4.php
account-verification/Spox/Mail/Mail3.php