The anatomy of a phishing kit
Modern phishing is industrialised. Understanding how a kit is packaged explains why single-URL takedowns fail and cluster takedowns work.
Phishing at scale isn't hand-built. Attackers buy or download a kit — a packaged set of files that recreates a target's login page and ships the stolen credentials somewhere. Understanding the kit explains why some takedown strategies fail.
What's in the box
A typical kit bundles:
- Cloned front-end — the HTML, CSS, and images copied from the real login page.
- A harvesting script — usually PHP, which captures the submitted credentials and emails or POSTs them to the attacker.
- Evasion logic — code that blocks security scanners, geofences victims, or shows a blank page to anyone who looks like a researcher.
- A deployment config — so the whole thing can be dropped onto a new host in minutes.
Why kits leave fingerprints
Because the same kit is reused across many campaigns, it leaves consistent traces: an identical favicon hash, the same directory structure, a reused TLS issuer, a shared hosting ASN. Those fingerprints are a gift to defenders — they let you find every domain running the same kit, including the ones not yet weaponised.
The takedown implication
This is exactly why removing a single reported URL accomplishes so little. The attacker has a deployment config; a new host is minutes away. The effective move is to:
- Fingerprint the kit and enumerate the whole cluster.
- File against the shared infrastructure — the hosting and registrar layers the cluster depends on.
- Monitor for redeployment using the same fingerprints.
Treat phishing as the industrialised operation it is, and the strategy follows: don't chase pages, dismantle the kit's ability to redeploy.