- A new phishing kit has appeared and is growing in popularity quickly, thanks to its user-friendly approach.
- The kit is called “Spox,” and it offers excellent anti-bot protection, stolen data backups, and easy phishing page management.
- The victims are tricked into giving away their entire online and offline identities, including their ATM PIN.
As reported by Sucuri researchers, there’s a new phishing kit out there that makes the whole process of setting up campaigns and managing phishing pages a walk in the park. In addition to making the deployment comfortable, the Spox kit is also incorporating several detection countermeasures that make it harder for bots like the commonly used “Phishtank” to identify the phishing pages.
Spox has been under active development, and its authors are adding new features to make it more user-friendly and powerful every month.
Spox’s main target seems to be the “Chase.com” internet banking platform, which helps users connect their bank account or open a new one, make deposits, payments, transfer money online, pay bills, issue paperless statements, and many more.
Spox uses four Chase-themed pages, starting with a fake log-in landing page. After the victims enter their credentials, they get redirected to a second page that warns them that their device is supposedly not recognized (fingerprint mismatch). Thus, the victim is called to provide additional authentication details, which lead to the serving of a series of phishing pages that steal credit card details (even the ATM PIN), location details, email address and password, contact information, and various PII.
The kit user can change the email address that receives the stolen data and toggle the anti-bot system “on” and “off.” The kit’s backend also offers a GUI (graphical user interface) repository where the stolen data are stored in plaintext form right on the server that hosts the phishing pages. If the data doesn’t end up in the attackers’ email address for any reason, they may use the generated “.txt” files as a backup.
As for the bot detection countermeasures, these are implemented as PHP code and are basically request filters. If something looks like a detection crawler, the page returns a 404.
Sucuri tried to investigate the origin of the Spox phishing kit, but no indications are pointing somewhere yet. The truth is, there are already quite a few actors who are deploying this tool for their phishing operations, and the newest version has even added support for PayPal.
Already, Spox counts almost four thousand subscribers, and the kit seems to be working like a breeze for them. As for the price tag, Spox is sold for $200, so it’s pretty affordable.