Criminals can now deploy phishing sites on any type of web server, even when commonly used server-side technologies such as PHP are not supported.

Phishing kits are predominantly implemented in PHP, as this provides the server-side functionality required to store and transmit stolen credentials without publicly revealing where they are being sent.

PHP is a widely used platform and is often supported on low-cost or compromised hosting platforms. Consequently, very few phishing kits are implemented in any other server-side language. For example, only a very small number of phishing kits have even been written in ASP.NET to run on Microsoft web servers.

An example of a typical phishing kit. It contains server-side PHP scripts, plus other resources such as fonts, stylesheets, and client-side JavaScript files.

We also see relatively small numbers of kits that do not contain any server-side scripts but do still rely on a PHP script to ultimately process their stolen data. These kits use static HTML pages to impersonate the targeted organisation, with web forms that submit stolen credentials directly from the victim’s browser to a PHP script hosted on a central remote “dropsite”. The PHP script then logs or forwards the stolen credentials to the criminal, typically via email, Telegram or Discord.

However, some recent phishing kits have gone one step further and eliminated the need for PHP scripts anywhere along the chain, thus eliminating a single point of failure that is inherent when hosting your own dropsite.

An example of a PHP-less phishing kit. It contains only images and static HTML pages which submit stolen credentials directly from the victim’s browser to a Telegram chat.

These new kits expand the range of hosting options open to the phisher, as they can be deployed on any static content hosting platform, regardless of what operating system it’s …