Inexperienced cybercriminals can easily find places to buy phishing kits in the open, on the “surface web” (as opposed to the deep or dark web), according to Jan Kopriva at the SANS Internet Storm Center. Kopriva set out to see how many of these kits he could find for sale on popular websites, and was able to find more than a hundred on YouTube alone after a single search. These YouTube videos offered demonstrations of the phishing kits’ functionality and pointed users to where they could purchase the kits.

“Of the 104 kits, 18 were offered free of charge (and at least one of these was backdoored – this wasn’t mentioned in the video description so it was probably intended as a surprise bonus feature),” Kopriva writes. “For 76 of them, price was available by e-mail/ICQ/Telegram/Facebook only and the 10 remaining ones ranged in price from $10 to $100. The 86 ‘commercial’ phishing kits were offered by 21 sellers, with the most prolific one of them being responsible for 22 different scam pages.”

The kits spoofed a wide range of services, with Office 365, PayPal, Amazon, and Netflix appearing most frequently. Each of the offerings contained various functionalities, and some included tutorials for new scammers.

“Some of the videos were offering e-mail templates, access to complex phishing platforms, or tutorials in addition to the scam pages themselves, either as part of a bundle with specific phishing kit or at a premium,” Kopriva says. “Similar selection of additional tools and other materials was available on external e-commerce platforms, where some the kits shown off in the videos were sold.”

Kopriva’s research demonstrates how easy it’s become for aspiring criminals to launch effective phishing attacks with minimal technical skills. New-school security awareness training can enable your employees to identify and thwart these types of attacks.