Online Tools and Services for Wannabe Criminals: A Dangerous Trend

Pierluigi Paganini
August 9, 2017 by
Pierluigi Paganini

Hackshit PhaaS platform

Today it is quite easy to conduct any kind of attack without specific knowledge, for example, phishing campaigns using tools like Hackshit.

The Hackshit crimeware-as-a-service was discovered by the experts from Netskope Threat Research Labs in July; It is a Phishing-as-a-Service (PhaaS) platform that offers low cost, "automated solution for the beginner scammers."

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The platform allows wannabe crooks to launch a phishing campaign easily. Hackshit attracts new subscribers by offering them free trial accounts to review their limited set of hacking tutorials and tricks to make easy money.

"Netskope Threat Research Labs recently discovered a Phishing-as-a-Service (PhaaS) platform named Hackshit, that records the credentials of the phished bait victims. The phished bait pages are packaged with base64 encoding and served from secure (HTTPS) websites with ".moe" top level domain (TLD) to evade traditional scanners. ".moe" TLD is intended for the purpose of 'The marketing of products or services deemed.' The victim's credentials are sent to the Hackshit PhaaS platform via websockets. " states a blog post published by Netskope.

The PhaaS platform was discovered during research about the trends of CloudPhishing attacks, experts from Netskope observed a phishing page using data URI scheme to serve base64 encoded content (data:text/html;base64) delivered from "https://a.safe.moe."

Visiting the link, the researchers were presented a phished login page for Google Docs, once the victims have provided their credentials, they were redirected to a second phishing page whose source uses a data URI scheme to serve base64 encoded content (data:text/html;base64), also in this case from https://a.safe.moe.

This second phished page was designed to trick victims into providing recovery details of their email account. Once the victim has provided his details, he will be redirected to the original Google recovery page.

The experts decoded the two phishing pages and discovered that the credentials are sent to the attacker via a websocket to https://pod[.]logshit[.]com and https://pod-1[.]logshit[.]com.

"Accessing logshit[.]com led us to the discovery of the PhaaS website named Hackshit as shown in Figure Further research concluded the website is serving as a PhaaS platform," continues the blog post.

Figure 1 - Hackshit website

Hackshit is a PhaaS platform that offers various phishing services that could be used by crooks to customize their phishing campaign. Subscribers can easily generate their unique phishing pages for many popular services, including Yahoo, Facebook, and Gmail.

The discovery of Hackshit revealed another interesting aspect of the platform; it also implements a black marketplace to buy and sell such services.

"The marketplace is a portal that offers services to purchase and sell for carrying out the phishing attacks," Netskope researcher Ashwin Vamshi explained.

"The attacker then generates a phished page from the page/generator link and logs into the email account of the compromised victim, views all the contacts and sends an email embedded with the phished link."

The market allows a cyber criminal to purchase site login accounts obtained with a phishing attack; it allows payment using Perfect Money or bitcoins.

Experts also noticed that the Hackshit website uses an SSL certificate issued by the open certificate authority Let's Encrypt.

Operators behind the Hackshit PhaaS offer several subscription tiers from Starter to Master, ranging from 40 USD per week to 250 USD for 2 months.

Katyusha Scanner, a new SQLi Vulnerability Scanner

Experts at threat intelligence firm Recorded Future a few weeks ago discovered a fully automated SQLi vulnerability scanner, dubbed Katyusha Scanner, on a hacking forum. The tool was offered for sale for just $500, it allows mass scans, simply managed from a smartphone through the Telegram messenger.

Also, in this case, the tool was designed to allow anyone to use it, even without specific technical skills. It appeared in the hacking underground in early April, and according to the researchers, it was developed starting from the Arachni Scanner open source penetration testing tool.

To use the tool, the attackers just need to set up a standard web server with the version of the Arachni scanner that has been modified to allow the control of the operation through a linked Telegram account.

Authors of the Katyusha Scanner appear very active; they updated seven times the tool since its introduction online.

The Katyusha Scanner was offered under a Pro and a Lite version that go for between $250 and $500.

The Pro version leverages known exploits to hack into the system; once a SQL injection bug is found the tool notify it to the attacker via a text message that includes the site name, Alexa rating, and the number of available databases.

"On April 8, 2017, a Russian-speaking member of a top-tier hacking forum introduced "Katyusha Scanner," the powerful and fully automated SQLi vulnerability scanner that utilizes the functionality of Telegram messenger and Arachni Scanner, an open-source penetration testing tool," states the blog post published by RecorderFuture.

The released product, coupled with outstanding support and frequent updates, immediately gained popularity and accolades of grateful clients for an intuitive and straightforward interface, as well as incredible performance."

The seller is top tier Russian hackers frequently Russian speaking known in the hacking underground for selling data stolen from e-commerce websites, the forum where the tool is commercialized.

The tool could be controlled via Telegram; it allows operators to upload a list of target websites and launch the concurrent attack against them simultaneously.

The attackers can control the attack using almost every mobile OS.

"Interestingly, the name Katyusha was not chosen by chance — it represents an iconic multiple rocket launcher, developed by the Soviet Union during World War II known for inflicting panic in Nazi forces with its stealthy and devastating attacks. Similar to the very lethal weapon conceived 70 years ago, Katyusha Scanner allows criminals to initiate large-scale penetration attacks against a massive number of targeted websites with several clicks using their smartphones," continues the analysis.

The seller suggests starting with at least 500 target sites; attackers can issue commands to scan them for any known vulnerabilities. The Pro version also implements the capability of downloading any exfiltrated data available.

At the time of the discovery, the tool was already bought by at least 12/15 users who provided positive feedback on its efficiency.

The potential scale of the attacks that the tool can power is worrisome.

"When dozens buy it and initiate attacks every day, the potential fallout will be significant," Recorded Future director of advanced collection Andrei Barysevich said. "The scale of attacks which is available to criminals is quite unprecedented now. And the convenience of this; someone who wants to engage in this type of activity doesn't have to be a hacker, he doesn't have to know how certain tools operate or what exploit packs they should be using. The tool will do everything for them."

Recorded Future reported the discovery to law enforcement.

DDoS Tools availability Online

We have shown that it is quite simple and cheap paying to conduct SQL Injection attacks or to arrange phishing campaigns, what about DDoS attacks?

It is not a mystery, it is quite easy to find a booter and DDoS service online, according to a study conducted by the experts at Arbor's ASERT Team in 2016 a day attack with a DDoS booter costs $60 and can cause $720k in damage.

Sometimes booter or stressor services are sold as would-be legitimate tools for security professionals that need to test the resilience of their infrastructure to cyber attacks or their capacity to support a high-volume of traffic.

Unfortunately, criminal organisations continue to abuse booters for illegal DDoS attacks, one of the most popular examples is the one used by the LizardSquad hacking crew, the LizardStresser.

The popular security expert Brian Krebs and a research team discovered that the Lizard Stresser DDoS tool relies on compromised Home Routers, this is very common for such kind of illegal services.

DDoS tools require no apparent skills to be used, just providing the IP address it is possible to launch the attack. These tools are becoming more and more available on the Internet.

The Internet is full of places where it is also possible to find software and platform specifically designed to power DDoS attacks and the main concern is that in general many young people are downloading and using theses tools.

Many criminal organizations are spreading their vulnerable applications through more and more blatant means on mainstream social media were most younger generations reside.

Recently security experts from cyber research division at Frontline Cyber Security Ltd discovered several DDoS tools while surfing the web searching over some popular social media sites.

The experts discovered how easily accessible DDoS tools are to ordinary web users.

Distributed denial of service applications found by the experts (Details removed of download links, please contact us if you are a researcher / analyst. ) are:

  • LOIC RedCult Edition – RiskwareAgent – MD5 609db4b9154f9aee29a5ceb775bec655
  • RedCult Dose – Loic.7 – MD5 6d0abacacd4393f9b3e30b2ed3be316e
  • RC Doors – Malware.SDi.5EDF – MD5 b1465ff2711b3cc9c4c8faf414354e7d
  • exe – Win32.DarkKomet – MD5 606aeb40c65070d234e1617d1ab257ff
  • ddos_android – Android.SpyAgent – MD5 c99ccf4d61cefa985d94009ad34f697f

Here is an image of the Android application running fill out a few boxes and click send.


Figure 4 - Android DDoS app

The experts also obtained a list of targets the applications were released to attack and have also managed to collect screen shots of the tools in use against government sites.

Below are some images of the application being used in what appears to be one of many Anonymous Operations under the operation #OpIsrael.

The experts also collected info related to servers the tool was designed to attack but are unable to post it now.

The below image shows the application being shared and distributed

Regarding the above DDoS tools, the authorities have been notified and are assisting in having them removed.


The examples reported in this short article demonstrate that it is quite easy for an attacker to arrange a cyber attack even without specific technical skills.

The analysis of Hackshit demonstrated that crimeware-as-a-services represent a serious risk for businesses and end-users, it is bringing wannabe hackers into the cybercrime arena.

DDoS attacks, phishing campaigns, and SQL Injection attacks are among the most popular threats today to organizations and companies.

The availability of any kind of hacking tools and services online is making even more simple the entry of criminals into the cyber arena.






FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.


Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.