Using legitimate services such as Google Forms and Telegram to gather user data stolen on phishing websites by cybercriminals is getting common

Ready-to-go platforms that automate phishing and which are available on the darknet and these are distributed under the cybercrime-as-a-service model, which subsequently leads to more groups conducting attacks. They also widen the scope of cybercriminal activity.

A phishing kit is a toolset that helps create and operate phishing web pages that mimic a specific company or even several at once. Phishing kits are usually sold on underground forums on the darknet. For cybercriminals who do not have strong coding skills, phishing kits are a way to effortlessly build infrastructure for large-scale phishing campaigns and quickly resume an operation if it’s blocked.

By stealing user account credentials, hackers gain access to the data of linked bank cards. Email services became less appealing last year, with the share of phishing kits targeting them dropping to 22.8%. Financial institutions turned out to be the third favorite among scammers, with their share totaling above 20%.

To obtain data of deceived users, cybercriminals mainly resort to free email services to which all the info harvested on phishing websites is automatically sent. Free emails make up 66% of the total number of emails found in phishing kits. Most email accounts detected were created using Gmail and Yandex.

Cybercriminals actively use legitimate services to obtain compromised data. A new trend recorded over the reporting period was the use of Google Forms and private Telegram bots to gather stolen user data.

The functionality of phishing kits is not limited to generating fake web pages to steal user data. Some upload malicious files to the victim’s device. Sellers of phishing kits sometimes turn out to be light-fingered and deceive their own buyers, attempting to make money off them twice. Instantly changing the phishing sites remains the strength among the attackers

Automating such attacks leads to the spread of more complex social engineering used in large-scale attacks rather than separate incidents.