A few years ago, launching a phishing campaign required real technical skill. You needed to clone a website, set up hosting, configure email delivery and avoid detection all manually. Today, you can buy a complete, ready-to-run phishing kit for very little money and have it live quickly. That shift has changed everything.
What is a phishing kit?
A phishing kit is packaged bundle of files HTML, CSS, JavaScript, PHP that replicates legitimate website's login page or checkout flow. The attacker deploys it on compromised or newly registered domain, sends out lure messages (email, SMS, social media), and waits for victims to enter their credentials.
The credentials are captured in real time and forwarded to the attacker via email, Telegram bot or web panel. Some kits even relay credentials to the real site simultaneously, so the victim is logged in normally and never suspects anything happened.
A phishing kit is the infrastructure. The phishing campaign is the delivery mechanism (emails, SMS, ads). Kits are reusable the same kit can be deployed dozens of times across different domains.
Anatomy of a kit
Most modern kits share common structure. Understanding it helps explain why they're so effective and why traditional detection methods struggle.
1. The clone layer
The visible part of the kit is pixel-perfect copy of the target brand's login page. Attackers use automated tools to scrape the original site's HTML, CSS and images. Some kits even load assets directly from the legitimate site's CDN, meaning the page looks identical and passes basic visual inspection.
2. The capture layer
Behind the clone is PHP script that intercepts form submissions. When victim enters their username and password, the script logs the data including IP address, browser fingerprint, timestamp and geolocation before optionally forwarding the victim to the real site.
3. The delivery layer
Captured credentials are sent to the attacker via one or more channels: dedicated email address, Telegram bot (increasingly common), or web-based admin panel included in the kit. Premium kits offer real-time notifications and victim tracking dashboards.
How kits evade detection
This is where modern kits have become genuinely sophisticated. Evasion is no longer an afterthought it's core feature.
Anti-bot and anti-crawler filters
Most kits include IP blocklists targeting known security scanner ranges, cloud provider IP blocks (AWS, Google, Azure) and VPN exit nodes. When request comes from blocked IP, the kit serves 404 page or redirects to the legitimate site making automated scanning largely ineffective.
Geofencing
Kits can be configured to only serve the phishing page to visitors from specific countries. campaign targeting Spanish bank customers, for example, might only activate for requests originating from Spain blocking international security researchers entirely.
Time-limited deployment
Many campaigns run for hours or a few days before the domain is abandoned. This window is often shorter than the time it takes for traditional blocklist-based detection to propagate.
HTTPS and legitimate-looking domains
Free TLS certificates (Let's Encrypt) mean phishing sites now display the padlock icon. Combined with lookalike domains using homoglyphs, hyphens or different TLDs victims have fewer visual cues to identify fraud.
A significant percentage of users still associate the HTTPS padlock with "safe" or "legitimate" site. Phishing kits exploit this directly nearly all modern kits deploy with valid TLS certificates.
The phishing-as-a-service market
Phishing kits are no longer one-off tools they're products with versioning, support channels and customer reviews. The market has matured into what researchers call Phishing-as-a-Service (PhaaS).
PhaaS platforms provide everything an attacker needs: kit templates for hundreds of brands, hosting infrastructure, email delivery, proxy networks to avoid detection and even customer support. The barrier to entry is now financial, not technical.
Some of the most widely observed PhaaS platforms in recent years have offered kits targeting major banks, logistics companies, telecoms and e-commerce platforms across Europe and Latin America the exact regions where Notmining's customers operate.
"The commoditisation of phishing infrastructure means that any brand with online visibility is potential target regardless of size or sector."— Notmining Research Team
What this means for your brand
The practical implication is straightforward: if your brand has recognisable login page, checkout flow or customer portal, kit targeting it probably already exists or can be created in hours.
The damage from phishing campaign using your brand's identity is multi-layered:
- Direct customer harm victims lose credentials, money or personal data while believing they're interacting with you.
- Reputational damage customers who are defrauded associate the experience with your brand, not the attacker.
- Support burden your team handles the fallout: account recovery, fraud claims, regulatory notifications.
- Regulatory exposure depending on jurisdiction, you may have notification obligations even when the breach occurred on infrastructure you don't control.
The window between kit going live and causing significant harm is measured in hours, not days. Detection speed is everything.
How Notmining detects them
Traditional detection relies on user reports and blocklist updates both of which lag behind the attack. Notmining takes different approach: continuous monitoring of the signals that precede and accompany kit deployment.
Domain registration monitoring
We monitor newly registered domains in real time, flagging those that are visually or phonetically similar to your brand. Many phishing domains are registered shortly before a campaign launches — catching them at registration gives you time to act before any victim is reached.
Content fingerprinting
When suspicious domain goes live, we analyse its content for structural and visual similarity to your brand's pages. This catches kits that load assets from your CDN or replicate your page structure exactly.
Infrastructure correlation
Phishing campaigns often reuse hosting infrastructure, nameservers and SSL certificate patterns. By correlating these signals across campaigns, we can identify new deployments faster even when the domain itself is novel.
In a recent case, Notmining Platform detected multiple lookalike domains targeting a regional bank shortly after registration, before any phishing emails were sent. Read the full case →
Key takeaways
- Phishing kits have turned technical attack into commodity any brand is viable target.
- Modern kits actively evade scanners, blocklists and manual review through anti-bot filters, geofencing and short deployment windows.
- The PhaaS market means kits are maintained, updated and supported like commercial software products.
- Detection must happen at the domain registration and infrastructure level not after victims report fraud.
- Continuous monitoring is the only reliable defence against kit-based phishing at scale.