This approach has an obvious drawback: if the directory-listing feature is enabled on the web server, other Internet users (including the compromised financial institutions) would be able to read those files. The countermeasure that was adopted by the fraudsters was the usage of "drop-boxes" as shown below:
As highlighted by Andrea Del Miglio in this blog article, this way of collecting credentials is much more effective. The second generation of phishing kits I want to focus on introduced new and interesting features in order to guarantee a longer life for the attacks. Some of the features included preventing security companies from accessing the websites, which made the analysis of the deployed code much more difficult.
Because online fraud service providers usually adopt automated techniques in order to validate phishing attacks, often a fake HTTP 404 "Page Not Found" is returned in case the connection is coming from one of these security companies, as shown in the example given below. The fraudster is then notified via email when such an event occurs, allowing him or her to immediately collect all of the credentials and move the attack to a new compromised web server.
Slowing down phishing kit analysis is another objective fraudsters are trying to achieve. The sample provided in the picture below performs several iterations using the following functions in order to obfuscate the PHP source code: