Phishing kits fuel service-based cybercriminals

New research shows phishing operations now function as structured marketplaces built for scale and rapid monetization.

What happened

New research published by SecurityInfoWatch reports that phishing kits have become the backbone of a global, service-driven cybercrime economy. The analysis is based on a study that reviewed more than 8,600 discussions across underground forums, dark web marketplaces, and encrypted messaging platforms. Researchers found that phishing kits, especially multi-brand or combo kits, are now the primary tools used to conduct large-scale credential theft and account takeover campaigns across banking, e-commerce, and payment platforms.

Going deeper

The research shows that 43.8 percent of underground listings referenced phishing panels capable of impersonating multiple brands at once. These combo kits allow attackers to launch campaigns against several services simultaneously, reuse infrastructure, and shift targets quickly based on which brands convert fastest. Banking platforms appeared in more than eighty percent of multi-brand kits, followed closely by major e-commerce services and PayPal. The broad targeting model favors volume and speed, allowing attackers to collect credentials and move toward cash out with minimal setup time. Two platforms, EvilProxy and Typhoon 2FA, were repeatedly referenced and linked to a large share of recent phishing activity observed in the dataset.

In the know

Related coverage from Paubox has pointed to the growing use of platforms such as Tycoon 2FA, which are purpose-built to bypass two-factor authentication on Microsoft 365 and Gmail accounts. Researchers have tied the kit to large-scale campaigns that rely on adversary in the middle techniques to intercept live authentication sessions and steal valid session cookies. Distributed through private Telegram channels and supported by a wide rotating domain infrastructure, Tycoon 2FA proves how phishing tooling is being actively maintained and upgraded, with stealth and reliability treated as core features rather than optional enhancements.

The bottom line

Researchers say phishing operations now follow clear economic incentives rather than ad hoc tactics. They noted that attackers continually refine tooling based on performance, prioritizing techniques that shorten the time between credential theft and monetization. The report also found that phishing ecosystems include a wide range of participants, including brokers, bot operators, malware developers, and resellers, many of whom are not traditional hackers. From a technical standpoint, modern kits rely heavily on reverse proxy and adversary in the middle methods that capture live session cookies and bypass one-time passcodes, allowing account takeovers even when multi-factor authentication is enabled.

FAQs

What is a phishing kit?

A phishing kit is a packaged set of tools that includes fake login pages, hosting instructions, and data collection mechanisms that allow attackers to steal credentials with minimal technical effort.

Why are combo kits more popular than single-brand kits?

They let attackers target multiple services at once, increasing the chance of success and reducing the need to maintain separate infrastructure for each campaign.

How do modern phishing kits bypass multi-factor authentication?

Many use reverse proxy techniques that intercept authentication sessions in real time, allowing attackers to steal valid session cookies after a user logs in.

Who uses these kits?

Users range from experienced cybercriminals to resellers and first-time attackers, as kits are often sold with setup support and ongoing updates.

What should defenders focus on, given these trends?

Organizations should assume credential theft is possible, monitor for unusual session behavior, strengthen detection around authentication flows, and track emerging phishing infrastructure rather than relying only on link blocking.