The New “Spox” Phishing Kit Makes Campaign Deployment Easier

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

As reported by Sucuri researchers, there’s a new phishing kit out there that makes the whole process of setting up campaigns and managing phishing pages a walk in the park. In addition to making the deployment comfortable, the Spox kit is also incorporating several detection countermeasures that make it harder for bots like the commonly used “Phishtank” to identify the phishing pages.

Spox has been under active development, and its authors are adding new features to make it more user-friendly and powerful every month.

landing page

Source: Sucuri

Spox’s main target seems to be the “Chase.com” internet banking platform, which helps users connect their bank account or open a new one, make deposits, payments, transfer money online, pay bills, issue paperless statements, and many more.

Spox uses four Chase-themed pages, starting with a fake log-in landing page. After the victims enter their credentials, they get redirected to a second page that warns them that their device is supposedly not recognized (fingerprint mismatch). Thus, the victim is called to provide additional authentication details, which lead to the serving of a series of phishing pages that steal credit card details (even the ATM PIN), location details, email address and password, contact information, and various PII.

The kit user can change the email address that receives the stolen data and toggle the anti-bot system “on” and “off.” The kit’s backend also offers a GUI (graphical user interface) repository where the stolen data are stored in plaintext form right on the server that hosts the phishing pages. If the data doesn’t end up in the attackers’ email address for any reason, they may use the generated “.txt” files as a backup.

As for the bot detection countermeasures, these are implemented as PHP code and are basically request filters. If something looks like a detection crawler, the page returns a 404.

backend

Source: Sucuri

Sucuri tried to investigate the origin of the Spox phishing kit, but no indications are pointing somewhere yet. The truth is, there are already quite a few actors who are deploying this tool for their phishing operations, and the newest version has even added support for PayPal.

Already, Spox counts almost four thousand subscribers, and the kit seems to be working like a breeze for them. As for the price tag, Spox is sold for $200, so it’s pretty affordable.

READ MORE:



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: