Phishing Kits Targeting Regional and Community Banks and Credit Unions pmiquel October 29, 2024

Phishing Kits Targeting Regional and Community Banks and Credit Unions

While we monitor, investigate, and remove online brand impersonations of our customers, we often find websites using phishing kits. These sites host many phishing pages that target regional bank customers and credit members. Their goal is to steal personal information.

We’ve discovered web pages matching this pattern for years but observed a surge in such credential harvesting campaigns this month. What is new about these phishing sites is that they use free bot detection services like Cloudflare Turnstile.

Threat actors are using bot detection tools. This has made traditional online brand protection methods much less effective including the methods used by some brand protection vendors.

With this article regional banks and credit unions will built their understanding this risk. This includes learning about the growing number of these phishing websites. And how traditional online brand protection and threat intelligence methods will not find them.

ANTI-BOT TECHNOLOGY CLOUDFLARE TURNSTILE

Why Traditional Methods Can’t Detect Phishing Kit Repositories

image of cell phone with cloudflare logo
Despite the challenges posed by anti-bot technology in this instance, Allure Security successfully detected phishing kit sites.

First, the group behind this campaign has used anti-bot technology. Technology that checks if a visitor is human. It’s important to fraudsters who want to differentiate between genuine human visitors (potential victims) or automated tools (potential cybersecurity researchers or vendors).

Legitimate websites use anti-bot technology to prevent unwanted automated activities such as web scraping or other abuse. Cloudflare offers one such anti-bot tool called Turnstile, now freely available to the public.

Turnstile has made using the Internet easier for many of us. It removes the need to fill out confusing CAPTCHA forms. We no longer have to identify all the stoplights in a group of pictures. Unfortunately, cybercriminals can also use this tool to their advantage.

Cybercriminals have misused Turnstile in the past. However, this is the first time they have targeted this group of financial institutions.

Anti-bot technology is an obstacle many vendors’ automated web scanners cannot overcome.

The evidence that brings us to this conclusion includes:

  • These sites do not appear in third-party phishing feeds. This means other vendors have not reported them as fake.
  • When found, these sites are still active and not blocked by Google Safe Browsing or anti-virus programs. This shows that others have not detected or reported them.
  • Some of these phishing sites may have been active for a month or longer. The dates in the repository directories show this.

Typosquat Detection

Fails to Find These Malcious URLs

Second, online brand impersonation detection methods that rely on identifying homographs, typosquats, or misspelled domain names would overlook these malicious URLs. Sometimes, the main domain will feature the name of a bank or a similar name from the group that someone impersonates. Tools like Dnstwist and other phishing domain scanners can find these issues. However, they only work for the one financial institution named in the root domain.

These detection methods focus on the root domain, and in some cases the subdomain. However, they do not consider subdirectories (e.g., “subdirectory” or the text after the slash in alluresecurity[.]com/subdirectory). This makes it harder for them to spot phishing attacks. These attacks trick victims by using an institution’s brand in a subdirectory.

Phishing Kits 101 Overview

Our threat response team is very familiar with phishing kits, having dealt with countless examples of repositories full of spoof login pages targeting multiple financial institutions over the years.

Ready-made Phishing Campaigns

Phishing kits usually come with ready-made templates. These templates help create many phishing pages quickly to target various financial institutions on a large scale. Templates include assets such as graphics, code, email templates, landing pages, and anything else needed to launch phishing campaigns.

The templates will look like a real financial institution’s website. They will have login fields to trick victims. Goal: get usernames, passwords, email addresses, and other sensitive information.

Many kits also come with scripts. These scripts automatically send any stolen data to the attacker. They can use email, text messages, mobile app messaging, or other channels.

More advanced phishing kits like CryptoChameleon can bypass multi-factor authentication. They do this by stealing time-based one-time passwords (TOTP).

Phishing-as-a-Service

Phishing-as-a-service (PhaaS) platforms make it even easier for fraudsters to launch phishing attacks. PhaaS will offer a phishing kit and tutorials. It will also provide hosting services and target lists with contact details.

Phishing kits and PhaaS are a problem because of their:

  • Ease of use and lowering the barrier to entry so that even novice attackers can launch phishing campaigns
  • Speed to spit out scam websites in minutes
  • Scale creating multiple unique websites targeting multiple brands very quickly

This results in an increasing number of phishing sites, targeting an increasing number of organizations. Also, by greatly cutting down the time and effort needed to start a scam, they make it easy to quickly activate, deactivate, and move. This makes it even harder to defend against these phishing threats.

Phishing Kit Repositories Targeting Financial Institutions

screenshots of spoof and fake websites
Screenshot of a sample of 9 phishing pages targeting financial insitutions discovered by Allure Security.

We are finding new examples of this type of repository all the time.and try to measure the threat with these estimates:

  • We’ve detected 5 to 10 of these repositories each day over the past week or so
  • The repositories typically contain 10 to 20 customized phishing kits (i.e., .zip files)
  • The repositories typically impersonate 10 to 20 of a similar group of brands
  • Some larger repositories have 30 to 40 phishing pages. These pages target different brands. In some cases, there are multiple pages for the same brand.

We have noticed similar patterns in many recent phishing repositories. This suggests that the same group created them.

Some of those patterns include:

  • Top-level domains – The use of similar top-level domains (TLDs) – particularly .icu but also .support, .tech, .cloud, .online, and others (including .com)
  • Exposed index – Sometimes, the main directory of a website is left open. Subdirectories may show the name, nickname, or acronym of the targeted financial institution. They might also display random text.
  • Hosted .zip files – The subdirectories contain similarly named .zip files. files containing the code for a particular phishing page 

Act Now to Protect Against Increasingly Sophisticated Phishing Kit Threats

First, if you handle your online brand protection yourself, it’s very important to check how well your current strategy works. Brand protection vendors are skilled at keeping up with scammers’ changing phishing tactics. They work hard to spot the scams that criminals try to hide from the brands they imitate.

Traditional methods, like finding registered domains with misspelled names, used to provide some security. However, relying only on these methods is now risky. Your brand’s reputation and customers/members deserve better.

Second, if you do outsource your online brand protection, challenge your provider on how they handle these types of threats. As we mentioned at the start of this article, we think most vendors cannot detect scams like these quickly.

Allure Security excels at identifying and removing these advanced attacks before they can harm anyone. Our ability to proactively detect and shut down such scams can prevent any potential victim from ever encountering them.

phishing kit directors
A screen shot of the rootdomain of a phishing kit site repository with phishing kits and subdirectories exposed.

Related Articles