Group-IB, a global threat hunting and adversary-centric cyber intelligence company, has found that cybercriminals increasingly often use legitimate services such as Google Forms and Telegram to obtain user data stolen on phishing websites. Alternative ways to obtain data help cybercriminals keep it safe and start using the information immediately. In addition, ready-to-go platforms that automate phishing and which are available on the darknet also have Telegram bots at their core, with an admin panel that is used to manage the entire process of the phishing attack and keep financial records linked to them. Such platforms are distributed under the cybercrime-as-a-service model, which subsequently leads to more groups conducting attacks. They also widen the scope of cybercriminal activity.

Group-IB’s Computer Emergency Response Team (CERT-GIB) analyzed the tools used to create phishing web pages (phishing kits) and discovered that, in the past year, they were most often used to generate web pages mimicking online services (online tools to view documents, online shopping, streaming services, etc.), email clients, and — traditionally — financial organizations. Last year, Group-IB identified phishing kits targeting over 260 unique brands.

A phishing kit is a toolset that helps create and operate phishing web pages that mimic a specific company or even several at once. Phishing kits are usually sold on underground forums on the darknet. For cybercriminals who do not have strong coding skills, phishing kits are a way to effortlessly build infrastructure for large-scale phishing campaigns and quickly resume an operation if it’s blocked. By extracting phishing kits, cybersecurity analysts can identify the mechanism used to carry out the phishing attack and figure out where the stolen data is sent. In addition, a thorough examination of phishing kits helps analysts detect digital traces that might lead to the developers of the phishing kit.

In 2020, as in the previous year, the main target for cybercriminals were online services (30.7%). By stealing user account credentials, hackers gain access to the data of linked bank cards. Email services became less appealing last year, with the share of phishing kits targeting them dropping to 22.8%. Financial institutions turned out to be the third favorite among scammers, with their share totaling above 20%. In 2020, the brands most often exploited in phishing kits were Microsoft, PayPal, Google, and Yahoo.