Many phishing kits come with web app vulnerabilities that could expose the servers used for their deployment to new attacks which could lead to full server take over.

Phishing kits are packages of ready to deploy fake login pages targeting a wide range of online services, ranging from Gmail and Amazon to Microsoft and PayPal.

The crooks who upload the phishing kits onto compromised servers to use them as an integral part of various phishing campaigns use them for collecting login credentials from their targets.

Phishing kit exploitation consequences

According to the researchers, "an additional layer of attack exists, one that is often unknown to the person responsible for deploying the phishing kit - Web Application vulnerabilities."

The exploitable flaws found by Akamai's research team after inspecting hundreds of phishing kits are present because the kit developers use outdated components to build them, exposing and thus which expose them to attacks from other bad actors.

By taking advantage of these types of flaws, other attackers could swoop in and "upload additional files, which may help it evade detection, or hinder cleanup efforts, and software updates" after exploiting the phishing kits' vulnerabilities says Akamai.

Beside file uploading, potential attackers could also delete files from the server where the vulnerable phishing kit is deployed if they are owned by the HTTP daemon.

Since in many cases servers allows full read and write access to directories because of lax security measures, threat actors who would abuse the kits could also move beyond the user directory where the phishing kit is stored and "gain additional footholds on the web server."

From here on out, everything is possible, with a "PHP shell and an improperly secured script ran by CRON" being everything that a would-be attacker would require to take over the entire web server.

Example phishing kit capabilities - 16Shop (Image: Akamai)

Bad coding habits behind phishing kit flaws

While phishing kit devs also put in the effort to code their tools, code copying and cloning is also used to make the development process faster.

However, this leads to security holes present in the code snippets they reuse being transferred into their own software, especially when they decide to copy full functions into their own code.

"Most developers know that code sharing means that any project touched by vulnerable code likely shares the same vulnerabilities. When problems are discovered, they're usually quickly addressed and corrected," state the researchers.

"Criminals do not care, nor do they actually control their code once released, so there is no real fix for vulnerabilities like these."

Even though Akamai has not yet discovered a vulnerable phishing kit being exploited in the wild, the possibility of this happening is very given that some "phishing kit developers have a background in application security, and chase bugs like these for money and notoriety."

Phishing kit vulnerabilities

The phishing kits using file upload modules were the ones which contained exploitable flaws more often as discovered by the Akamai researchers.

"The common thread between each kit is the usage of class.uploader.php, ajax_upload_file.php, and ajax_remove_file.php, in a number of different naming conventions," says the report.

"The code used in these files comes from a GitHub repository that was last updated in 2017, and the project is just a collection of file upload scripts for PHP. The file names themselves are not important. The risk is the code being copied from GitHub and pasted between kits."

Another phishing kit vulnerability allows users to upload executable code to the web root seeing that the uploader script does not check for filetype.

In addition, Akamai also found directory traversal vulnerabilities cause by the file remove script not sanitizing user input, enabling attackers to delete files owned by the HTTP daemon from the compromised server.

Backdoored phishing kit code (Image: Proofpoint)

Phishing kits under attack in the past

While Akamai's researchers haven't been able to unearth attacks on vulnerable phishing kits and only highlight that the possibility of this happening is very real, bad actors who deployed phishing kits as part of their campaign have been targeted by their "colleagues" in the past.

During November 2016 for instance, the developers of multiple phishing kits advertised on YouTube added an exfiltration module which would send the credentials stolen from the crooks' victims to both the operators of the campaign and to the kit's devs.

Using this piggyback technique, phishing kit developers would make a profit from both selling the credential stealer tool to fellow crooks and from trading the credentials they were delivered by the backdoor implanted in the kit.

Just last month, Akamai also found out that a cracked version of the 16Shop commercial phishing kit was also delivering all the information stolen by unauthorized users of the kit to a bot in a channel on Telegram.

The hidden code in the cracked 16Shop kit "collects information for all of the forms visited by the victim, and no matter what storage and delivery options are selected by the 16Shop operator, the victim's data is siphoned off and sent to the Telegram bot via API calls."

Just as it happened in 2016, the pilfered data would be twice stolen, by both the frugal cybercriminals behind the phishing operation and the crook who made the cracked 16Shop kit freely available.