Do-it-yourself phishing kits found on the internet, reveals Sophos

Sophos Press Release
Web users who visit bogus phishing sites may have their credit card details stolen.
Web users who visit bogus phishing sites may have their credit card details stolen.

Sophos experts have discovered that do-it-yourself phishing kits are being made available for download free of charge from the internet.

Anyone surfing the web can now get their hands on these kits, launch their own phishing attack and potentially defraud computer users of the contents of their bank accounts.

These DIY kits contain all the graphics, web code and text required to construct bogus websites designed to have the same look-and-feel as legitimate online banking sites. They also include spamming software which enables potential fraudsters to send out hundreds of thousands of phishing emails as bait for potential victims.

Sophos researchers believe that hundreds of thousands of phishing emails are sent across the internet every day, each designed to defraud money from innocent computer users, and the problem is growing. With phishing kits now becoming freely available over the net, Sophos predicts this worrying trend is set to continue.

"Until now, phishing attacks have been largely the work of organised criminal gangs, however, the emergence of these 'build your own phish' kits mean that any old Tom, Dick or Harry can now mimic bona fide banking websites and convince customers to disclose sensitive information such as passwords, PIN numbers and account details," said Graham Cluley, senior technology consultant. "There is plenty of profit to be made from phishing. By putting the necessary tools in the hands of amateurs, it's likely that the number of attacks will continue to rise."

Sophos is urging computer users to be wary of any emails asking them to reconfirm sensitive financial information and advises that anti-spam software at the email gateway can prevent these unsolicited email messages from even reaching inboxes.

"Recipients of suspicious emails claiming to come from online banks should just delete them and should certainly not click on the links contained within the messages," continued Cluley. "Web hosts and ISPs can also play their part in the fight against phishers by closing down websites if they find these kits posted on their servers."

Sophos recommends companies protect themselves with a consolidated solution which can defend businesses from the threats of both spam and viruses.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at