Buggy Phishing Kits Allow Criminals to Cannibalize Their Own

[silversurfer]

The vulnerable kits also offer a point of entry to compromise legitimate website servers.
 
They say it’s a dog-eat-dog world out there, but in cybercrime terms, perhaps it should be called a “phish-eat-phish” situation. Researchers recently discovered that several widely used phishing kits harbor vulnerabilities that can be exploited by other criminals to hijack operations – and commandeer any freshly stolen data.
 
Worse, compromised kits can be used as a pivot point to infiltrate legitimate websites that have been compromised to host the kits in the first place.
 
Researchers at Akamai have found holes in the installation stage of some phishing kits that would allow a second attacker to infiltrate and upload additional files, including any sort of executable code – as well as simply take over the operations of the kit.

“The kits included basic vulnerabilities due to flimsy construction or reliance on outdated open-source code …and web application vulnerabilities,” wrote Larry Cashdollar, Akamai researcher, in a posting on Wednesday, adding that criminals can scan for and discover vulnerable kits, which are often uploaded to a compromised WordPress or Joomla blog.

SOURCE: https://threatpost.com/buggy-phishing-ki...ze/145399/