Phishing kit

How it works

Kits bundle pixel-accurate clones of popular brand login pages, the code to capture and exfiltrate what victims type, and often evasion features that hide the page from scanners. They are sold or rented on criminal markets, which is why the same brand templates appear again and again across unrelated campaigns.

Recognizable kit fingerprints help defenders cluster and find related phishing sites.

How it relates to brand impersonation

Phishing kits industrialize brand impersonation, turning your login page into a commodity that anyone can deploy. The pages they produce are lookalike sites that monitoring and takedowns address.

How nebty helps

nebty detects the pages phishing kits generate against your brand and takes them down on demand, so a cheap kit does not stay online harvesting your customers.

Why kits help defenders too

A phishing kit lowers the skill needed to run a campaign, but the same standardisation that helps attackers also helps the people hunting them. Because a kit is reused across many campaigns, its pages share recognisable artefacts: the same file and folder names, the same exfiltration code, the same quirks in how the brand template is reproduced. Researchers fingerprint these and use them to cluster otherwise unrelated phishing sites, find new ones faster, and sometimes locate the back-end where stolen data is sent. Kits often include evasion built in, such as blocking known security-scanner addresses or showing a blank page to anything that does not look like a real victim, which is why capturing evidence quickly matters. For a brand, the practical takeaway is that the pages a kit produces against you are detectable lookalikes, and removing them on demand stops the kit from paying off.