A phishing kit is a collection of software tools that makes it easier for people with little or no technical skills to launch a phishing exploit. Phishing is a type of internet scam in which the perpetrator sends out spoofed e-mails or text messages that appear to come from a legitimate source. The goal is to trick the recipient into performing a specific action that will benefit the attacker -- typically, this involves getting the victim to click on a malicious link, open an infected attachment or authorize a transfer of funds.
A phishing kit typically includes Web site development software that has a simple, low-code/no-code graphical user interface (GUI). This type of crimeware kit typically comes complete with email templates, graphics and sample scripts that can be used to create convincing imitations of legitimate correspondence. For an additional price, some kits may also include lists of e-mail addresses, telephone numbers and software for automating the malware distribution process.
Security experts recommend that users refrain from clicking on links in unexpected messages purporting to be from a site they have financial dealings with. If unsure whether a message is valid, users should go directly to the official site and seek information there, or contact the site's customer service department.
Phishing as a Service kits (PaaS kits)
According to Cyren, a SaaS security provider, cloud-based phishing-as-a-service kits are available on the dark web for as little as $50 a month. When phishing websites are hosted on legitimate public cloud services, criminals are able to present legitimate domains and SSL certificates, which can trick even the most experienced end user into thinking a given phishing web page or email is trustworthy.
Popular security exploits
Phishing kits are often used to carry out the following cybersecurity exploits:
Spear phishing - an email spoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information.
Whaling - a specific type of phishing attack that targets high-profile employees, such as the CEO or CFO.
SMiShing - a security attack in which the user is sent a text message designed to tricks them into downloading a Trojan horse, virus or other malware.
Vishing - an electronic fraud tactic conducted by voice email, VoIP (voice over IP), landline telephone or cellular telephone.