Phishing kits are helping to dumb down the process of creating fraudulent websites. Back in the day, setting up a bogus facsimile of a banking site required a modicum of programming skills. No more.

Now the increasing prevalence of DIY fraud website creation kits means setting up a snare for unwary surfers takes about as much effort as setting up a personal website. Nine in ten (92 per cent) of 3,544 new phishing websites identified by IBM's X-Force security research team last week (something of a slow week, incidentally) were the product of phishing kits.

Phishing kits, which first arrived on the scene around two years ago, allow attackers with little technical skill to rapidly set up multiple phishing websites on a single host. Requiring only a small installation footprint, and capable of being seeded with off-the-shelf botnet agents, these phishing kits create a means for hackers to serve up multiple bogus banking websites on a single compromised host.

IBM compares the phenomenon of phishing websites to the appearance of virus creation toolkits in the late 1990s. The infamous Anna Kournikova worm of 2001, for example, was created by 20-year-old Dutch s'kiddie Jan de Wit, using a virus creation toolkit.

Hook, line and stinker

The widespread use of phishing kits comes as no great surprise. However, IBM's improved analytical techniques have yielded an added insight into cybercrime activity and helped to quantify the problem.

For example, IBM discovered that the 3,256 phishing kit sites tied back to 100 registered domains, almost a half (44 per cent) of which were registered in Hong Kong. This compares to the 276 registered domains used by the 288 custom-made phishing websites. More in an entry in IBM's X-Force blog here (http://blogs.iss.net/archive/PhishingKits.html). ®

Related stories

Instant trojan to worm toolkit sighted (18 June 2008)
http://www.theregister.co.uk/2008/06/18/trojan_worm_toolkit/
Shark 2 dumbs down Trojan creation (15 August 2007)
http://www.theregister.co.uk/2007/08/15/shark_trojan_creation_kit/
Crooks debut 'plug and play' phishing kit (10 July 2007)
http://www.theregister.co.uk/2007/07/10/plug_and_play_phishing/
Don't touch that Microsoft Security Bulletin email (28 June 2007)
http://www.theregister.co.uk/2007/06/28/outlook_bug_isnot/
For sale: Herman Munster's MasterCard number (22 June 2007)
http://www.theregister.co.uk/2007/06/22/munsters/
Austrian domain registrar 'aids' phishers (21 June 2007)
http://www.theregister.co.uk/2007/06/21/austrian_registrar_phishing_row/
Phishermen, not zombies, causing biggest security woes (20 June 2007)
http://www.theregister.co.uk/2007/06/20/mcafee_security_trends/
FBI logs its millionth zombie address (13 June 2007)
http://www.theregister.co.uk/2007/06/13/millionth_botnet_address/
The cheapest calling plan of all: Friends and Family on the company phone (10 June 2007)
http://www.theregister.co.uk/2007/06/10/no_personal_calls/
eBay's phishy old problem (6 June 2007)
http://www.theregister.co.uk/2007/06/06/ebay_phish_followup/
Google security vulnerabilties stack up (3 June 2007)
http://www.theregister.co.uk/2007/06/03/google_vulns_stack_up/
Gone phishing with eBay (25 May 2007)
http://www.theregister.co.uk/2007/05/25/ebay_bentley_phish/
Strange spoofing technique evades anti-phishing filters (25 May 2007)
http://www.theregister.co.uk/2007/05/25/strange_spoofing_technique/
Phishers add call forwarding to their arsenal (25 April 2007)
http://www.theregister.co.uk/2007/04/25/call_forwarding_phish/
Phishing attack evades bank's two-factor authentication (19 April 2007)
http://www.theregister.co.uk/2007/04/19/phishing_evades_two-factor_authentication/
University admins lend phishers a hand (18 April 2007)
http://www.theregister.co.uk/2007/04/18/university_phish_hack/
Phishers spread their nets (17 April 2007)
http://www.theregister.co.uk/2007/04/17/phishing_trends/
Demo neuters antiphishing measure (12 April 2007)
http://www.theregister.co.uk/2007/04/12/sitekey_bypass_demo/