The Dark Web has become a bazaar for cyber criminals looking for sophisticated off-the-shelf ready-to-use malware. The latest example is a product called the “(A)pache Next Generation Advanced Phishing Kit”, which is being sold on the Dark Web for $100 – $300.
Standard kits are usually sold for $20-$50, with some even free, as they only provide login pages and prompts for personal and financial information. [A]pache’s next-generation phishing kit, however, provides threat actors with a full suite of tools to carry out their attack. These include an entire back-office interface with which they can create convincing fake retail product pages and manage their campaign.
A joint research by Cyberint and Check Point details how the notorious [A]pache Phishing Kit is promoted online and provides step-by-step instructions for those looking to steal customers’ credit card details by luring them to a fake shopping site.
To simplify this process, [A]pache offers an easy-to-use interface within the admin panel where the threat actor can paste the product URL of the legitimate retailer and the kit will automatically import the product information into the phishing page. They can then view their ‘products’ and change their original prices, bearing in mind not to pitch the new fake ‘prices’ so low as to arouse the suspicions of online shoppers.
With payment details, including the CVV number, entered and sent straight to the threat actor’s database, the threat actor can then check the kit’s back-office admin panel to see the victim’s personal and financial information. After the victim has entered their payment details, they are presented with a notification that the payment process has failed, helping convince them to not be concerned when the purchased fake product does not arrive. Their credit card details can be used to make fraudulent purchasers or sold off to the highest bidder. The [A]pache phishing kit’s developer included his alias, ‘Douglas Zedn’, in the control panel of a retail phishing site. It is still unclear whether this was a mistake or he was looking for some kind of recognition for his work.
Phishing attacks are rapidly becoming one of the main methods used by cyber criminals to gain access to online retailers’ data as well as a key way to directly target the customers who shop with them. The potential brand damage for a retailer who has been targeted is huge. Online shoppers may come away with the message that a particularly retailer’s website is not to be trusted and may be forever put off from visiting the legitimate website. The online shopping industry itself will also suffer as growing numbers of online shoppers find their credit card details have been hacked when shopping online at fake websites that appear indistinguishable from the real thing to all but the most expert eyes.
The [A]pache phishing kit illustrates the evolution that phishing kits are now undergoing and the complexity of today’s cyber threat landscape. Protection against phishing is paramount for all organizations anxious to protect their brand image and safeguard their customer’s interests. This emphasizes the need for detection and response capabilities in the digital space. The name of the game is time-to-respond and is the only way to beat the “bad guys” in this cat and mouse game.