A recent study has shown that when it comes to criminal hacking tools, hackers don’t believe in secure coding. Akamai Technologies discovered vulnerabilities in the coding of phishing kits while doing research on cybersecurity.
What this means, is that Phishing kits, tools used by hackers to build webpages that steal victims' personal information and money by masquerading as legit websites, contain vulnerabilities that can be exploited by other hackers to pilfer freshly stolen data.
Phishing kits are often sold on the dark web to other criminals to build webpages that are designed to look and function exactly like a legit website, such as a bank, in order to fool users into typing in their usernames and passwords to login or hand over personal information, such as driving license or credit card number. As mentioned in a previous blog, When Crime Does Pay: Cybercrime is Cheaper and More Accessible Than Ever, criminals can take advantage of software built by hackers to run their scams, for a very low cost.
While this seems like maybe the criminals are getting their just desserts, the reality is that the company or organization that was hacked once, could end up being hacked a second time. Akamai senior security researcher Larry Cashdollar, in a memo to The Register, said, "The real risk and concern in this situation goes to the victims: the server administrators, bloggers, and small business owners whose websites are where phishing kits like these are uploaded. They're getting hit twice and completely unaware of the serious risk these phishing kits represent. While Akamai hasn't determined if there have been successful secondary attacks due to these vulnerabilities, it's a real possibility. Many phishing kit developers have a background in application security, and chase bugs like these for money and notoriety. The idea that they would search for, discover, and exploit such flaws for their own gain isn't a stretch."
The threat of phishing to an organization isn’t going away anytime soon. The additional threat of secondary theft through insecure phishing tools, means that organizations must take cybersecurity seriously. Contact Uzado to find out how they can help.