How do phishing kits work?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine you want to rob a bank but you've never robbed one before. Now imagine someone sells you a step-by-step kit with a disguise, a getaway route, and a script for what to say. That's essentially what a phishing kit is for cybercriminals.
A phishing kit is a pre-packaged bundle of files that lets someone launch a phishing attack with little to no technical knowledge. You don't need to code. You don't need to understand how servers work. You download the kit, follow the instructions, and you're running a fake login page that looks exactly like PayPal, Microsoft, or your bank.
Here's what a typical kit actually contains:
- Cloned HTML pages: A pixel-perfect copy of a real brand's login page. The attacker didn't build this. The kit includes it ready to go.
- Credential harvesting scripts: PHP or Python scripts that capture whatever the victim types into the fake form (username, password, credit card number) and forward it to the attacker's email or a hidden control panel.
- Email templates: Pre-written messages impersonating the target brand, complete with logos and formatting, designed to drive clicks to the fake page.
- Hosting instructions: A guide to deploying everything on a compromised server or cheap hosting, often with anti-detection tricks built in (like blocking security researchers by IP).
Some kits go further. Tools like Evilginx2 act as a reverse proxy, sitting between the victim and the real website. The victim thinks they're logging in normally. The kit silently intercepts the session and steals authentication tokens, which means even two-factor authentication doesn't protect the victim. (That's a genuinely uncomfortable thing to type out.)
Kits are sold and shared in criminal forums and dark web markets. Prices range from free (for basic versions) to a few hundred dollars for polished kits targeting specific brands. Some kit developers even offer customer support and updates when the target brand changes its design. It's a whole economy.
So the reason this matters for defenders is that kits standardize the attack. Because thousands of attackers are using the same templates, security researchers can identify patterns in the HTML, scripts, and headers that fingerprint specific kits. That's actually one of the few upsides: when a kit is widely used, it's also widely documented. Threat intelligence teams track kit families the same way antivirus teams track malware strains.
For your own protection and your users' protection, knowing how kits work changes how you think about phishing landing pages. The fake page your user lands on wasn't hand-crafted for them. It came off a shelf. That means the attack is probably hitting thousands of other people at the same time.
If you're worried about your domain being impersonated in one of these kits, a DMARC record won't stop the attacker from hosting a fake page, but it does stop them from sending phishing email that appears to come directly from your domain. That's worth setting up if you haven't already. You can check your current DMARC setup with our free DMARC generator, or drop into the SOS hotline if something looks off and you're not sure where to start.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.