The Expanding Dark Web Toolkit Using AI to Fuel Modern Phishing Attacks

The availability of dark web phishing kits and advanced cyber tools are making it easier than ever for novices to develop their malicious capabilities.

The availability of phishing kits and advanced cyber tools are making it easier than ever for novices to develop their malicious capabilities.
(Credit: Nakhorn Yuangkratoke / Alamy Stock Photo)

There has never been a more accessible route to becoming an expert-level cybercriminal than now due to widely available dark web resources that support phishing scams. These resources include online phishing kits and templates that allow a curious novice to create very convincing hoaxes. Unfortunately, the dark web provides a robust marketplace for stolen data, which further supports these budding criminals in their malicious schemes.

Phishing attacks frequently begin with a threat actor using ready-made phishing kits or prepackaged tools that streamline and greatly simplify the beginning phases of an attack. The kits are designed to decrease the technical barrier to entry and often include all the components an attacker requires when trying to trick victims into disclosing sensitive information, such as deceptive login pages, scripts, and email templates.

Templates in phishing kits also include pre-designed websites that look authentic, thus making it quite simple for attackers to conduct the scams quickly and efficiently with limited technical expertise. Through the rise of GenAI, and in combination with access to dark web forums and marketplaces to purchase sophisticated tools, novice scripties can interact with expert threat actors to expand their knowledge. They can also buy toolkits that advance and hone their skills, eventually becoming expert-level threat actors who conduct intricate and meticulous operations.

Related:AI Enables New Cyber Threats. Are You Ready?

Underpinning the Scam

Hosting and server providers are critical enablers of phishing attacks, providing infrastructure for fraudulent activities such as hosting fraudulent websites, sending phishing emails, and managing malware via C2 servers. To prevent these dangers, cybersecurity specialists and hosting providers must collaborate more closely, improve detection, and tighten monitoring.

Attackers use both genuine and illicit bulletproof hosting providers to remain anonymous, avoid discovery, and prolong their scam activities. These services are accessible, affordable, and scalable, allowing people with only modest technological skills to conduct sophisticated phishing attacks.

While analyzing multiple phishing and scam URLs, our researchers detected several high-profile hosting and server providers empowering these attacks. Some examples include Private Alps, Alex Hosting, EliteTeam, FlyHosting, FiberGrid, Warez-Host, Ultahost, PSB-Hosting, RDP.Monster and Anon RDP.

Databases Add Fuel to Attacks

Databases available on Telegram and the dark web are also essential tools for phishing attackers, providing access to massive amounts of stolen personal and financial information. These databases, frequently offered at low costs, contain sensitive data such as email addresses, passwords, and credit card details, which are used to build tailored phishing operations.

Crypter Tools Enhance Stealth Mode

Enter crypter tools. Phishing assaults have also become more sophisticated regarding stealth with the introduction of Fully Undetectable (FUD) tools and crypters. These advanced techniques circumvent typical security measures, making malware and malicious payloads in phishing websites and kits invisible to antivirus software and detection systems.

In particular, crypters that encrypt malicious code can effectively avoid signature-based detection while remaining functional when executed. This stealth capacity is critical for modern phishing tactics as it allows attackers to enter systems, steal valuable information, and retain persistence while remaining under the radar of traditional cybersecurity defenses.

The Expanding Toolkit

Malicious programs, known as infostealers, attempt to obtain sensitive information from infected devices, such as login credentials, credit card numbers, and other personal data. Infostealers are frequently used with phishing efforts to increase the data collected from victims.

Remote access trojans, or RATs, give attackers illegal access to a victim's device, enabling remote control and manipulation. Once inside, an attacker can exfiltrate data, install other malware, or use the victim's device as a launchpad for future attacks. RATs are an effective tool in a phishing attacker's arsenal, allowing attackers to maintain persistent access to infected systems.

Attackers can also employ reverse proxies to intercept and modify traffic between users and genuine websites. When used in phishing attacks, reverse proxies collect login credentials or defeat multi-factor authentication (MFA) by posing as a go-between for the victim and the legitimate website.

As the popularity of cryptocurrencies has grown, so has the creation of specialized tools for stealing digital assets. Drainers are known tools built exclusively for the purpose of emptying cryptocurrency wallets. They are frequently disseminated through phishing emails or fraudulent websites, luring users to disclose wallet credentials or send funds to the attacker's address.

The Rise of Zero-Click Attacks

Zero-click attacks are swiftly becoming one of the most significant cybersecurity threats. Unlike typical phishing tactics, these attacks exploit system vulnerabilities without requiring user involvement, allowing attackers to easily infiltrate devices. Once a vulnerability is exploited, attackers can access a device, install malware, and steal sensitive data without requiring the victim to click a link or open an attachment. The stealthiness of these attacks makes detection and prevention extremely difficult.

A notable example is the CVE-2024-30103 vulnerability, which demonstrates the increased risk posed by zero-click threats. This vulnerability affects major messaging apps, allowing attackers to take over devices by sending specially crafted messages. Because of a vulnerability in how communications are processed, the victim's device can be compromised as soon as the message is received, with no user intervention required.

Malicious Use of AI and GPT Models

Cybercriminals are also using AI to automate and improve their phishing attempts, resulting in even more convincing and sophisticated schemes. AI-powered models can create convincing emails, mirror known contacts’ writing styles, and even engage in real-time discussions to deceive victims into disclosing sensitive data. GPT models, for instance, are being used to create highly tailored phishing messages, rendering standard detection systems ineffective.

Mitigation: An ounce of prevention is worth a pound of cure

Phishing is no longer limited to simple social engineering approaches; it has grown into a complex, multi-layered attack vector that employs dark web tools, AI, and undetectable malware. The availability of phishing kits and advanced cyber tools are making it easier than ever for novices to develop their malicious capabilities. 

Stopping these attacks can be tricky, given how convincing the websites and emails can appear to users. However, organizations and individuals must be vigilant in their efforts and continue to use regular security awareness training to educate users, employees, partners, and clients on the evolving dangers. All users should be reminded to never give out sensitive credentials to emails and never respond to unfamiliar links, phone calls, or messages received. Using a zero-trust architecture for continuous verification is essential while also maintaining vigilance when visiting websites or social media apps.

Additionally, modern threat detection tools employing AI and advanced machine learning can help to understand incoming threats and immediately flag them ahead of user involvement. The use of MFA and biometric verification has a critical role to play, as do regular software updates and immediate patching of servers or loopholes/vulnerabilities. Ensure encryption of all communications and sensitive data and collaborate with hosting providers to take down phishing sites quickly.

Defending these risks should involve implementing proactive security measures, training, and ongoing monitoring. Only by remaining vigilant and proactive can organizations effectively protect against the constantly shifting terrain of common cyberattacks like phishing scams.

About the Author

Abhilash Garimella, Vice President of Research and Security Operations, Bolster

Abhilash Garimella is vice president of Research and Security Operations at Bolster. His work includes cybersecurity, online fraud detection, threat hunting, and applied machine learning, as well as leading the threat intelligence and SOC teams at Bolster to detect and take down digital threats. Abhilash was the original scientist at Bolster to develop models for automated threat detection and response. He has a master's in Computer Engineering and Deep Learning. Prior to Bolster, Abhilash conducted threat research at McAfee.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights