Microsoft has identified a series of phishing campaigns that use a custom phishing kit that’s been composed of several tools widely circulating online. The attacks are designed to steal user credentials.
The Microsoft 365 Defender Threat Intelligence Team first detected instances of these attacks in December 2020. As they use the copy-and-paste attack infrastructure, the team dubbed it “TodayZoo.”
“The abundance of phishing kits and other tools available for sale or rent makes it easy for a lone wolf attacker to pick and choose the best features from these kits,” the researchers said. “They put these functionalities together in a customized kit and try to reap the benefits all to themselves. Such is the case of TodayZoo.”
Phishing kits are often sold in underground forums. They contain archived files containing images, scripts, and HTML pages that enable a threat actor to create and send phishing emails.
The TodayZoo phishing campaign is similar to other phishing attempts, which are designed to trick victims into transferring sensitive information to unauthorized websites. The main difference is that it combines pieces of other commonly used phishing kits, “some available for sale through publicly accessible scam sellers or are reused and repackaged by other kit resellers.”
The framework is heavily influenced by DanceVida, which is a well-known phishing kit that was also used by other actors. It also borrows heavily its code base and its modules from other kits, such as Botssoft, FLCFood, Office-RD117, WikiRed, and Zenfo.
TodayZoo shows how different types of phishing techniques can be used for nefarious purposes. Some of these include renting them from providers or creating their own variants on the ground.
“This research further proves that most phishing kits observed or available today are based on a smaller cluster of larger kit ‘families,'” Microsoft’s analysis read. “While this trend has been observed previously, it continues to be the norm, given how phishing kits we’ve seen share large amounts of code among themselves.”