Share this page!

Maybe Scrolly?
Jake | JCyberSec_ Profile picture
Twitter logo
1 Dec, 17 tweets, 6 min read
Announcing KIT Intel 📣

🎉A Phishing Kit Intelligence Platform

“Understand the threat actors' playbook and capabilities”

#KITIntel

🧵 THREAD ⤵️
KIT Intel is a tool for phishing kit research...at scale.

📁 Upload, Analyze, Cluster, and Research phishing kits like never before.
🔎 Phishing kits are a wealth of untapped intelligence.

If you deal with phishing you need this tool in your arsenal 👈

KIT Intel gives you the ability to hunt, pivot, and discover new phishing kit activity across our full dataset.
👓 Let me show you around the tool...

🖥️ KIT Intel is all API driven.

Use the power of the command line
Plug KIT Intel straight into existing workflows

Automate, automate, automate... 🤖
KIT Intel has 3 endpoints🚦

🔴 Search- Look, hunt, and discover on any data point within a phishing kit
🟡 Submit- Push phishing kits to be analyzed and parsed. How many new kits can you discover?
🟢 Content- Download any files you want. Pull the threat actors source code SAFELY
Sounds interesting? Wait until you see what it can do live.

🔍 Let's go...!
Using the free CLI tool we can easily search through all our phishing kits at once...
📂🔍

Here we are searching for a kit hash. And we can see we have a hit.
Next we can pull back all the files contained within that one particular phishing kit 🗄️
Anti-bot files are frequently reused in multiple kits and with KIT Intel it is trivial to see which kits share the same file overlaps 📌
We are able to search for file hashes and then see which kits contain the same files within them.

📓 We have found one particular anti-bot file has been used in over 56 unique kits.

We can now use this information moving forwards...
We can also use KIT Intel to search for code content. We can search every single file in every single phishing kit for a single piece of code...
🦾

🥷 Let's look for a threat actors alias - 'xbalti'
Here we see we have hundreds of thousands of files which feature this string.

We can download this file using the content endpoint to see the raw code content 🔭
We can also perform other pivots in our data such as looking for filenames 📎

We can easily find kits which feature the same filename such as 'configg.php'
But what about directory or folder name overlaps 📁
We can search them as well!

Let's easily search for all kits which have the directory name '/ci_assetz/'
📩 Now let's look at the submission part.

If we have a phishing kit we can easily push this into KIT Intel with one command.
📩Interested in a trial? Send me a DM with your corporate email and I'll help you get started.

Note: KIT Intel is a commercial offering. We hope to provide a free license for individuals in the future✔️
If you have any questions feel free to DM me.

Follow me to see more pivots and phishing KIT Intel ♻️

✅This project wouldn't have been possible without @WMCGInsights backing

Thanks!
👍

#phishing #KITIntel #phishingKits

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jake | JCyberSec_

Jake | JCyberSec_ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @JCyberSec_

Jake | JCyberSec_ Profile picture
19 Nov
So you want to learn about phishing kits 🧑‍🎓

🧵 In this thread I will highlight threat hunting skills and IoCs within phishing kits to look for ⤵️

Retweets are appreciated ♻️

🔍Follow me for more #phishing intelligence @Jcybersec_
📁What is a phishing kit?

When a threat actor wants to create a phishing page they will create the page on their own machine.
Zipping it up 🤐
And then putting this zip on a website to then deploy 🌐
🥷Building threat actors create these kits and sell them to other threat actors 💰

Deploying / Controlling threat actors put the kits online and then extract the content to instantly upload a working phishing site 🦹
Read 21 tweets
Jake | JCyberSec_ Profile picture
29 May 20
Phishing data analysis can provide an insight into victims and discreet campaign targeting tactics.📊

The following data has been extracted from multiple campaigns from the same SMS based phishing campaign targeting UK victims.📲

<THREAD>

#phishing #security #cyber Image
There is a total of 433 victims data analyzed in the research; however, not all fields were submitted or valid so total data ranges will vary throughout. Image
Chart 1 - Age of impacted victims 🎂

The year of birth for the victims with the most impacted being aged between 21-30yrs old. Notably it is not just elderly people who get impacted by phishing which is often assumed.

The second most impacted are victims aged 31-40yrs old. Image
Read 12 tweets
Jake | JCyberSec_ Profile picture
30 Apr 20
:: 16Shop Intelligence Thread ::

#16Shop is a prolific and one of the first #Phishing-as-a-Service (PaaS) offerings.

⚠️This is an intelligence thread on notable elements of the kit, the operation, how to test and detect the scam.

#THREAD
16Shop was initially detected in the wild in late 2017 by McAfee security researchers, this kit was using an Apple theme. 🖥️

Initially access to the kit was sold on Facebook 💰
The user selling 16Shop access was part of a group who are attributed as being the creators and main operators of 16Shop know as "Indonesian Cyber Army"💀
Read 14 tweets
Jake | JCyberSec_ Profile picture
3 Dec 19
:: Magecart Hunting Thread ::

This is a thread about how to hunt and find #Magecart infected sites using @URLscan. 💰💵

♻️Please retweet to help spread knowledge and feel free to add your own techniques, ideas, and suggestions.

⚠️THREAD⚠️
A brief overview of Magecart.

Magecart is an umbrella term for the technique of injecting JavaScript to steal credit card numbers on E-commerce sites. A number of actors/groups operate under the same term implanting JavaScript onto checkout pages all over the world.
To get started we need a foothold.
I have a hunt running looking for a known Magecart hash.

This morning a new site hit the search, looking at the site I then used the filename as a pivot. The filename which is infected with Magecart is "jquery_noconflict.js"
Read 15 tweets
Jake | JCyberSec_ Profile picture
31 Jul 19
:: Phishing Admin Panel Hunting Thread ::

In this thread we will find ways to hunt and attribute phishing admin panels.

This is a continuation from my #phishing hunting thread released earlier this year. ()

Please retweet to knowledge share among others.
Firstly we need to understand what an admin panel is in relation to phishing sites. There are many phishing-as-a-service (PaaS) offerings for threat actors to buy allowing them to quickly and easily deploy kits online. They normally consists of a threat actor buying an API key.
In this thread I will show you how to fingerprint some of the major panels, if you feel I have missed any let me know as I would love to keep this thread current and up-to-date on new threats.
Read 22 tweets
Jake | JCyberSec_ Profile picture
21 May 19
:: Phishing Hunting Thread ::

This is a thread about how to hunt and find #Phishing sites.
Retweets would be great to help spread the knowledge and please add your own techniques, ideas and suggestions.

Let's go hunting!
Firstly we need a site to use as a pivot. I have attached a number of sources at the bottom of this thread. For demonstration purposes we will use this site ::

hxxp://www.new.froid-guyader.fr/libraries/sharepointcontract/

This is a #Phishing site against Microsoft Office
Initially let's see if there is a #PhishingKit or #OpenDir on the domain. Enumeration on the domain is important. This is a example of sites to load and see ::

- hxxp://www.new.froid-guyader.fr/libraries/
- hxxp://www.new.froid-guyader.fr/
- hxxp://www.froid-guyader.fr/
Read 16 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @JCyberSec_ has new unrolls!

Check out other threads from @JCyberSec_!

Read all threads by @JCyberSec_

:(