Full Report
Community Feature - JCyberSec_Curated Intelligence members - JCyberSec - recently created an enlightening YouTube video analysing phishing kits designed to look like Royal Mail asking for a parcel delivery fee. Royal Mail Phishing Kits Analysis Featuring Kr3pto and SpamItUp - YouTubeCorrectly noted by JCyberSec, the UK has been inundated with courier themed credential phishing campaigns throughout 2021. The Royal mail themed phishing scams were the first iteration of these campaigns to get public attention.Curated Intel Community Features are sourced using our Member Content channel on Discord. If you have recently produced a noteworthy piece of writing, a project, a podcast, an infographic or other CTI content let us know!
Analysis Summary
# Tool/Technique: Kr3pto and SpamItUp Phishing Kits
## Overview
This summary focuses on phishing kits, specifically **Kr3pto** and **SpamItUp**, which were used in credential phishing campaigns impersonating courier services, most notably **Royal Mail**, to trick victims into submitting delivery fee information and, consequently, their credentials.
## Technical Details
- Type: Tool (Phishing Kit)
- Platform: Web/Server-side (delivers phishing pages)
- Capabilities: Credential harvesting, phishing page hosting, SMS/email delivery orchestration.
- First Seen: The context relates to campaigns observed throughout 2021, with the article dated February 20, 2022.
## MITRE ATT&CK Mapping
The core activity aligns with initial access and collection tactics:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (While often associated with attachments, the *delivery mechanism* here is often SMS/Email leading to a malicious link)
- T1566.003 - SMS Phishing (Smishing) (Relevant due to the courier theme, often involving SMS lures)
- **TA0009 - Collection**
- T1119 - Automated Collection (If the kit automatically processes and collects exfiltrated data)
## Functionality
### Core Capabilities
- **Impersonation:** Creating highly convincing fake websites designed to look like legitimate courier services (e.g., Royal Mail).
- **Lure Creation:** Used in phishing campaigns, often initiated via SMS (Smishing), instructing the user a parcel requires action/fee payment.
- **Credential Harvesting:** Collecting sensitive information entered by the victim on the fake portal (e.g., personal details, payment/login credentials).
### Advanced Features
- The source material references analysis done by JCyberSec, indicating these kits are sophisticated enough to successfully mimic official parcel tracking/payment flow, leading to high compromise rates for the specific identified campaigns.
## Indicators of Compromise
*The provided text does not contain specific IOCs (hashes, domains, IPs) for Kr3pto or SpamItUp, as it is a high-level summary referencing an external video analysis.*
- File Hashes: [Not specified in text]
- File Names: [Not specified in text]
- Registry Keys: [Not applicable/Not specified in text]
- Network Indicators: [Not specified in text, but would include C2 infrastructure hosting the kit pages]
- Behavioral Indicators: [Serving HTML/dynamic content simulating a courier service payment portal; sending collected data back to an attacker-controlled endpoint.]
## Associated Threat Actors
- [Threat actor groups utilizing these specific, named kits were not explicitly detailed in this summary text, although they are associated with widespread credential phishing campaigns utilizing courier themes in the UK during 2021.]
## Detection Methods
*Specific detection rules are not provided, but standard methods apply to phishing kits:*
- Signature-based detection: Signatures targeting known file structures or scripts associated with Kr3pto or SpamItUp if they have unique markers.
- Behavioral detection: Monitoring web servers for unusual POST requests accepting large amounts of user-submitted data, especially concerning login credentials or financial details, followed by redirection.
- YARA rules: [Not specified in text]
## Mitigation Strategies
- User education against phishing, especially unsolicited SMS/emails requesting immediate action regarding parcel delivery fees.
- Implementing DMARC/SPF/DKIM to prevent email-based impersonation at the organization level (though less effective against SMS/personal attacks).
- Utilizing robust endpoint/network security solutions capable of blocking access to known phishing domains hosting these kits.
## Related Tools/Techniques
- Other courier-themed phishing kits targeting global or regional postal services.
- General SMS-based phishing (Smishing) techniques.