The TodayZoo Phishing Kit
Thursday, last week, the Microsoft 365 Defender Threat Intelligence team reported their discovery of a series of phishing campaigns. The campaigns employ a custom phishing kit that comprises code components of several other such kits available for purchase on hacker forums.
According to the Microsoft researchers, campaigns performed using this custom kit were first noticed back in December 2020. The phishing kit has since been dubbed TodayZoo.
The researchers explain that there’s an abundance of easily-obtainable phishing kits all over the Internet, making it easy for individual threat actors to choose the ones that fit their specific needs and then combine them into a new, custom one. Apparently, the case with TodayZoo is an example of such hacker activity.
What makes it easy to obtain a given phishing kit is that they are often sold on a one-time payment basis and are distributed throughout many famous hacker forums. Such kits typically contain HTML pages, scripts, and images that allow the cybercriminal who obtains them to easily set up phishing pages and email addresses and then use those to attack their targeted demographic and extract the victims’ personal details by transmitting them to a server controlled by the threat actor.
With regard to the mechanism of the TodayZoo attack, there’s nothing surprising – the cybercriminal initially impersonates Microsoft, claiming that the attacked user needs to reset their password or verify their account. Obviously, to do that, the user is required to fill in their credentials in a disguised phishing form. Once the credentials are typed in and submitted, they get transmitted to the threat actor’s server.
The thing that stands out about TodayZoo, however, is the specific phishing kit used in the cybercrime campaign – rather than directly using one of the readily-available one-time payment phishing kits, the threat actor behind TodayZoo seems to have “stitched-together” pieces of code from such phishing kits, creating a new, customized one.
The report from Microsoft elaborates on the nature of TodayZoo, informing that a large part of the custom phishing kit seems to have been lifted from the widespread DanceVida phishing tool. Traces of other kits that can be noticed in TodayZoo come from FLCFood, WikiRed, Zenfo, and Botssoft. The main deviation from DanceVida that TodayZoo has is that it’s exfiltration logic differs from the one used in DanceVida.
The fact that individual threat actors can easily develop their own kits by simply stitching together ones that are already available throughout underground hacker forums comes to show the diverse methods used by cybercriminals who focus on phishing campaigns.
A point made in the Microsoft analysis is that this latest research proves that the majority of phishing tools that are currently being used in the wild likely originate from a smaller group of readily-available phishing kit variants. The researchers add that, though this trend is not anything new, it still continues to be the way phishing campaigns are performed, considering that custom kits like TodayZoo that contain components of other phishing tools are not an uncommon occurrence.