How Phishing Kits Work: Unpacking Cybercriminal Tools in 2024

Phishing attacks have never been easier to execute, thanks to the rise of advanced phishing kits. These kits are pre-built toolsets designed to simplify launching phishing campaigns by providing attackers with everything needed to impersonate trusted platforms, capture credentials, and bypass most security defenses.

Phishing kits lower the technical barrier, enabling both experienced cybercriminals and beginners to execute attacks with minimal effort. Essentially, they’re “all-in-one” solutions that include fake website templates, scripts for data collection, tools to evade detection, and detailed setup instructions.

These kits are rapidly evolving, making it more challenging than ever to protect against them. But what exactly makes phishing kits so effective, and how can organizations defend themselves?

Phishing kits are highly effective because they combine accessibility with automation. Many now incorporate real-time features like live credential capture and traffic encryption, making them even more powerful.

Their sophistication also plays a significant role in their success. Modern phishing kits often feature advanced tools, including anti-bot mechanisms, multi-factor authentication (MFA) bypasses, and browser fingerprinting.

Below are two examples of phishing kits that were advertised this month. Since these kits don’t have official names yet, we’ve assigned descriptive labels to identify them.

This approach is common for phishing kits and even high-end malware. Many tools are sold directly by their creators without formal names, with buyers simply contacting the author to make a purchase.

The "Reverse Proxy" phishing kit exemplifies how phishing kits use reverse proxy technology to intercept traffic between targets and legitimate websites. Acting as a middleman, it captures login credentials and session cookies, enabling attackers to bypass MFA.

This kit requires minimal technical expertise to deploy, thanks to its automated installation process and detailed documentation.

One of its standout features is the unlimited domain and subdomain generation capability, which ensures that attackers can evade blacklists by continuously switching to new URLs. These randomized domains, combined with Cloudflare integration, add complexity and make campaigns more difficult to detect.

The kit also includes an antibot mechanism, allegedly powered by machine learning, to ensure only real users—not automated security tools—are the ones interacting with the phishing page.

The "Google Live Telegram Panel" is another new phishing kit that’s designed to exploit Google’s login system—including its two-factor authentication (2FA).

By replicating Google’s login portal, the kit deceives users into entering their credentials and 2FA codes, which are then captured in real time. The stolen credentials and codes are immediately sent to the attacker via Telegram, allowing immediate access to the target’s account.

Attackers can filter their targets by country, operating system, and device type, allowing for more optimized and precise phishing campaigns.

The kit can also collect browser fingerprints, which attackers can use to hijack sessions or bypass other security mechanisms that rely on device recognition. This level of customization empowers attackers to focus on high-value targets and increase their success rate.

Phishing kits vary widely in scope and functionality. Some are designed with a narrow focus, targeting specific platforms like Google, as seen in the Google 2FA Bypass Panel example above. These specialized kits provide everything attackers need to mimic the target, from custom login templates to real-time interaction tools.

In contrast, there are more comprehensive phishing kits that support a broader range of platforms and cater to attackers looking to cast a wider net. For example, the "Phishing Proxy" kit supports phishing campaigns targeting Gmail, QuickBooks, Dropbox, Microsoft 365, and more than a dozen other services.

The choice between a targeted or multi-platform kit often depends on the attacker’s goals.

Specialized kits offer greater customization and efficiency for breaching specific organizations or services, while multi-platform kits appeal to attackers running large-scale campaigns to collect as much data as possible.

Every phishing kit requires an initial contact with the target, and the vast majority of these campaigns begin with an email. Modern phishing emails, like modern phishing kits, are designed to bypass traditional security measures and enable threat actors to deceive end users into providing the data they need to compromise accounts.

Stopping today’s phishing attacks requires a solution that leverages behavioral AI to understand normal activity and block emails that deviate from what's expected. Abnormal detects hyper-personalized, never-before-seen attacks with no traditional indicators of compromise and automatically remediates malicious messages—removing the possibility of end-user engagement.

See for yourself how Abnormal AI provides comprehensive email protection against attacks that exploit human behavior. Schedule a demo today.