Phishing has always been the most popular threat vector among cyber-criminals across the globe. Attackers use various phishing tools and techniques to obtain sensitive details including financial and Personally Identifiable Information (PII) data of their victims. This data is then misused to carry out account takeovers, identity thefts, fraudulent transactions, etc. 

Recently, our research team discovered an interesting post, on a Russian-language cybercrime forum, of a threat actor advertising a phishing toolkit. In the actor’s first post related to the phishing service, they were only selling monthly subscription packages. However, through a reliable source, we have gathered other details about this phishing campaign, including the tactics, techniques, and procedures (TTPs) used.

Analysis of the Threat Actor’s Phishing Services

Information from HUMINT

• The price of the phishing kit ranges from USD 15 to USD 2,000, depending on the customizations chosen by the buyer (attacker).  
• The service provides phishing services that spoof organizations across different sectors including finance and banking. 
• The phishing kits purportedly have the capability to bypass various authentication measures. 

Salient Features of the Phishing Service

• The phishing services being advertised by the threat actor can be used to steal credentials and bypass multi-factor authentication. 
• The phishing toolkit also includes logs that will be delivered to the attacker through a server. 
• The service uses a reverse proxy kit that captures victims’ login information, including credentials and session logs which are converted to JSON files on the server. 

About the Threat Actor

• The threat actor, who recently joined the cybercrime forum, has made several posts detailing different methods to orchestrate phishing attacks. 
• CloudSEK’s Threat Intelligence Research team first observed their post, on a Russian-language cybercrime forum in November 2021, advertising phishing services targeting AT&T.
• The actor has demonstrated their expertise in phishing, and the efficacy of their services, by sharing detailed tutorials and PoCs (Proof of Concept) on how to carry out phishing attacks using their kits. This has bolstered the actor’s credibility among other members on the forum.
• The threat actor’s posts also highlight that they are constantly pursuing new ways to develop and deploy phishing services that target and spoof major organizations, like AT&T and Google, and government entities such as NASA. 
• The threat actor has provided information about their social media accounts as well as addresses to their Monero, Bitcoin, and Ethereum wallets. 
• The actor’s social media activity indicates that they are skilled in various web-based attacks, other than phishing. 
• There are two domains owned by the actor, Site 1 (a platform to post doxing information) and Site 2 (a website advertising phishing as a service), both of which have identical user interfaces and content. (For more information refer to the Appendix)

In this article, we will use the example of the threat actor’s Gmail phishing kit to understand how they orchestrate phishing campaigns that are able to deceive millions of users. 

Analysis of the Threat Actor’s Gmail Phishing Kit

In one of their recent posts, the threat actor advertised a Google Mail manual phishing kit that steals users’ credentials and session logs. 

Crafting Convincing Phishing Emails

Most phishing campaigns work because they are able to convince the victim of their legitimacy. In this case, the threat actor provides the capability to exploit certain domains to send emails that appear to be legitimate. 

• In this case, the actor uses a manipulated request captured from the website open.gsa.gov/api/regulations.gov/. 
• This request enables the attacker to change parameters on the client-side, which can be forwarded to a victim after making the required modifications.

• The default values can be viewed by inspecting the page source of the website as shown in the image below:

The actor can spoof emails from reputed domains such as:

• .nasa.gov
• .data.gov
• .senate.gov

According to the actor's comments on the cybercrime forum, they may be looking for different government and non-government organizations to target in order to send emails by altering the content on the client-side. These methods and services can result in an amplification of spear-phishing attacks, stolen credentials, and account takeovers of targeted victims in an organization.

How the Phishing Kits Exploit Gmail 

Once the victim clicks on the link in the phishing email, they are redirected to a Gmail phishing page.

• The Gmail phishing kit begins with a login page and a password page that collect the user’s email or phone number and password.

• After this, the phishing kit displays a customized page that informs the victim of the rate limit, and from there, the attacker can select further directives to prompt the victim. 

• Based on the IP of the victim, the page further fetches the country code that will be displayed in the authentication step. The alternate method or next button present on the page is to get the recovery email of the victim. All of this information is sent as a log to the attacker. 

The Gmail phishing kit comes with optional customizations such as:

• Alert notifications and auto-refresh whenever new logs are captured. 
• Adding or removing the rate limit page. 
• Enabling or disabling the bot protection methods, such as captcha.
• Options to choose what a victim should see after the password page. 

The above-mentioned kit is priced as low as USD 50 to USD 70. According to the threat actor, attackers who purchase these kits tend to sell the logs collected from the phishing pages, to the highest bidder. 

Widespread Impact of Gmail Phishing Campaigns

Given that Gmail has over 1.5 billion active users, this phishing kit, in particular, has the potential to cause large-scale impact because:

• Users tend to re-use their email credentials across other accounts, including their banking logins.
• It is a common practice to use Gmail accounts to sign up on ecommerce sites and for other services.
• We tend to receive confidential details such as bank account statements, bills, and meeting invites via email, which can be leveraged to carry out targeted attacks on victims. 
• Threat actors can impersonate the email holder to defraud their contacts.
• Threat actors can use OTPs and authentication codes received on Gmail accounts to bypass multi-factor authentication  

Appendix

Whois records of Site 1:

This domain has been marked malicious by two antivirus softwares under the tag of ‘phishing’. 

Whois records of Site 2 

This domain is not detectable, yet and doesn’t have any methods or phishing kits for users to download.