According to the security team, the name “TodayZoo” was picked because of the curious use of these words in the kit's credential harvesting component in past campaigns, which likely is a reference to phishing pages that spoofed a popular video conferencing app.
TodayZoo contained pieces of code copied from other widely circulated kits, with the copied code segments having the comment markers, and other holdovers from previous kits and thus, provides rich insight into the state of the phishing and email threats today.
What is a Phishing Kit?
Also known as a “phish kit”, a phishing kit refers to various parts of a software set meant to facilitate phishing, most commonly used to archive file containing scripts and HTML pages that enable an attacker to easily set up an evasive phishing page to steal credentials.
These phishing kits are sold in underground forums for a one time payment. It also can specifically refer to the unique page itself that spoofs a brand in order to lure users into disclosing their credentials, which are often posted to an asset the attacker controls.
For instance, the researchers observed a series of phishing campaigns that abuse the AwsApps[.]com domain to send email messages that eventually directed users to the spoofed landing pages, the attackers were able to create malicious accounts at scale, with the sender emails appearing with randomly generated domain names.
How TodayZoo represents the latest Trends in the Phishing landscape?
TodayZoo and other phishing kits presents several insights into the underground phishing threat landscape, it further proves that most phishing kits are available based on a smaller cluster of larger kit units.
Albeit this trend isn't quite new, but it continues to serve as the norm, given how phishing kits share large amounts of code among themselves. And the presence of dead links and callbacks to other kits also indicates that phishing kit distributors and operators have easy access to existing kits for reuse to make new ones faster.
No comments