‘TodayZoo’ Phishing Kit Cobbled Together From Other Malware

A phishing operation has cut and pasted components of at least five other phishing kits to create its own attack platform, sending out password-reset and fax-and-scanner notifications in significant campaigns earlier this year, according to researchers with the Microsoft 365 Defender Threat Intelligence Team.

The TodayZoo kit, as Microsoft dubbed the framework, appears to extensively use code from another kit, known as DanceVida, while other components significantly match the code from at least five other phishing kits. Microsoft first discovered the phishing kit in December 2020, but a series of major campaigns in March and June 2021 attempted to steal credentials from Microsoft users, leading the company’s threat intelligence team to analyze the kit.

Calling the cybercriminal tool a “Franken-phish” because of its use of parts from other phishing kits, the kit seems to bring together different components of other phishing tools rather than use a phishing-as-a-service offering, says Tanmay Ganacharya, partner director for security research at Microsoft Defender.

“Ultimately, phishing kits — similar to malware — are increasingly modular and sometimes defy clean family attribution as a result,” he says. “Other kits that are similar and have shared code are also well-protected at this time, but we see new kits and phish pages daily that defy standard naming as they morph so quickly.”

Phishing continues to be an extremely popular way of harvesting sensitive information and legitimate credentials from unwary users. Successful attacks are less likely to come through an e-mail client and more likely to target mobile users, according to a report released this week by Jamf, a provider of enterprise management tools for Apple computers and devices. Around 10% of users on mobile devices have clicked on a phishing link in the past year, an increase of 160% over the past 12 months, the company states in its “Phishing Trends Report 2021.” 

The most popular brands targeted by phishing attacks in 2021 included Apple, PayPal, Amazon, and Microsoft, the report states.

“Phishing attack delivery has evolved far beyond poorly-worded emails offering ‘unclaimed lottery winnings,'”…