Many phishing kits come with web app vulnerabilities that could expose the servers used for their deployment to new attacks which could lead to full server take over.
Phishing kits are packages of ready to deploy fake login pages targeting a wide range of online services, ranging from Gmail and Amazon to Microsoft and PayPal.
The crooks who upload the phishing kits onto compromised servers to use them as an integral part of various phishing campaigns use them for collecting login credentials from their targets.
The exploitable flaws found by Akamai’s research team after inspecting hundreds of phishing kits are present because the kit developers use outdated components to build them, exposing and thus which expose them to attacks from other bad actors.
By taking advantage of these types of flaws, other attackers could swoop in and “upload additional files, which may help it evade detection, or hinder cleanup efforts, and software updates” after exploiting the phishing kits’ vulnerabilities says Akamai.
Beside file uploading, potential attackers could also delete files from the server where the vulnerable phishing kit is deployed if they are owned by the HTTP daemon.
Since in many cases servers allows full read and write access to directories because of lax security measures, threat actors who would abuse the kits could also move beyond the user directory where the phishing kit is stored and “gain additional footholds on the web server.”
From here on out, everything is possible, with a “PHP shell and an improperly secured script ran by CRON” being everything that a would-be attacker would require to take over the entire web server.
The phishing kits using file upload modules were the ones which contained exploitable flaws more often as discovered by the Akamai researchers.
“The common thread between each kit is the usage of class.uploader.php, ajax_upload_file.php, and ajax_remove_file.php, in a number of different naming conventions,” says the report.
“The code used in these files comes from a GitHub repository that was last updated in 2017, and the project is just a collection of file upload scripts for PHP. The file names themselves are not important. The risk is the code being copied from GitHub and pasted between kits.”
Another phishing kit vulnerability allows users to upload executable code to the web root seeing that the uploader script does not check for filetype.
In addition, Akamai also found directory traversal vulnerabilities cause by the file remove script not sanitizing user input, enabling attackers to delete files owned by the HTTP daemon from the compromised server.
Using this piggyback technique, phishing kit developers would make a profit from both selling the credential stealer tool to fellow crooks and from trading the credentials they were delivered by the backdoor implanted in the kit.
Just last month, Akamai also found out that a cracked version of the 16Shop commercial phishing kits was also delivering all the information stolen by unauthorized users of the kit to a bot in a channel on Telegram.