Every November, something predictable happens. As millions of people start hunting for deals online, a different kind of hunting season opens up. Attackers spin up phishing kits by the thousands, targeting shoppers, shipping notifications, and payment portals. The volume spikes every year, and the kits keep getting more sophisticated.

But "sophisticated" gets thrown around a lot without explaining what that actually means. So let's open one up. This is a technical walkthrough of how a modern phishing kit works, from domain registration to credential theft, and what you can do to protect yourself during peak shopping season.

Step 1: Domain Registration and Typosquatting

Every phishing campaign starts with a domain. The attacker needs a URL that looks close enough to a legitimate brand that people will not look twice. This is called typosquatting, and the techniques are well-established.

Common approaches include:

Attackers register these domains through registrars that accept cryptocurrency and ask minimal questions. Many use bulk registration tools to grab dozens of variants at once. During the holiday season, they specifically target brand names associated with shipping (UPS, FedEx, USPS), retail (Amazon, Walmart, Best Buy), and payment (PayPal, Venmo, Zelle).

The domain is usually live within minutes of registration. That speed matters because the entire operation is a race against detection.

Step 2: Instant HTTPS with Let's Encrypt

Here is something most people still get wrong: the padlock icon in your browser does not mean a site is safe. It means the connection is encrypted. Those are very different things.

Let's Encrypt issues free SSL/TLS certificates to anyone who can prove they control a domain. The process is fully automated and takes about 30 seconds. There is no identity verification, no business validation, and no human review. An attacker registers arnazon-deals.com at 9:00 AM and has a valid HTTPS certificate by 9:01 AM.

The result is a phishing site with a padlock in the address bar. For years, security awareness training told people to "look for the padlock." That advice is now actively harmful because it creates a false sense of trust. Every phishing kit worth its salt includes automated certificate provisioning as a standard step.

The padlock means your connection to the attacker is encrypted. That is not the same as safety. Stop telling people to "look for the padlock" as a security check.

Step 3: HTML Cloning the Legitimate Site

The next step is making the phishing page look real. Modern kits do not rely on hand-crafted HTML anymore. They clone the target site directly.

Tools like HTTrack, wget --mirror, or custom scraping scripts pull down the entire front-end of a legitimate website: HTML, CSS, JavaScript, images, fonts, everything. The attacker gets a pixel-perfect copy of the login page, the shopping cart, or the account recovery flow. Some kits even pull assets dynamically from the real site's CDN, so the phishing page always reflects the latest design changes.

The only modifications the attacker makes are to the form submission targets. Instead of sending your credentials to amazon.com, the cloned form sends them to the attacker's server. Everything else looks and feels identical. The logos are right. The footer links work. Even the CAPTCHA may be real, proxied from the legitimate site to add another layer of credibility.

During the holidays, attackers clone specific pages that match the season: "Order Tracking" pages, "Delivery Failed" notifications, "Exclusive Holiday Deal" landing pages, and "Gift Card Balance" checkers. They know what people are expecting to see in their inbox.

Step 4: Credential Harvesting via Reverse Proxy

This is where things get serious. Basic phishing kits just collect your username and password and store them in a database. That was effective five years ago, but it fails against MFA. Modern kits use a reverse proxy approach, and the most well-known tool for this is Evilginx.

Here is how it works. The phishing site does not just look like the real site. It acts as a transparent middleman between you and the real service. When you enter your credentials on the phishing page, the proxy forwards them to the actual login server in real time. When the real server responds with an MFA challenge, the proxy passes that challenge back to you. You enter your MFA code, the proxy forwards it, and the real server authenticates the session.

At this point, the real server issues a session token (typically a cookie). The proxy captures that token before passing the authenticated page back to you. You see a successful login and might even land on your real account dashboard. Everything seems normal.

But the attacker now has your session token. They can inject it into their own browser and access your account as if they were you, without needing your password or MFA code again. The session is already authenticated.

A reverse-proxy phishing kit does not just steal your password. It steals your entire authenticated session, MFA and all. You log in successfully, and so does the attacker.

Step 5: Real-Time Session Token Replay

Speed is everything. Session tokens expire, and some services detect concurrent sessions from different locations. So modern phishing kits are built for instant replay.

The moment a victim authenticates through the proxy, the captured session token is transmitted to the attacker's infrastructure in real time. Some kits use WebSocket connections to push tokens immediately. Others write to a shared database that the attacker monitors with automated scripts.

The attacker (or more often, an automated tool) imports the session token into a browser within seconds. They might use a residential proxy in the same geographic region as the victim to avoid triggering location-based anomaly detection. More advanced operations rotate through headless browsers that mimic the victim's user agent string and browser fingerprint.

Once inside, the attacker works fast. They change the account's email address and phone number, add their own MFA device, scrape saved payment methods, place fraudulent orders, or use the account as a launching point for further attacks. In a business context, a compromised email account becomes a platform for business email compromise (BEC) attacks against the victim's contacts.

Step 6: Data Exfiltration to Telegram Bots

Here is a detail that surprises people: many phishing kits send stolen credentials directly to Telegram. Not to a darknet server. Not to an encrypted email. To a Telegram bot.

The kit includes a simple API call to the Telegram Bot API. Every time a victim submits credentials, the kit sends a formatted message to a private Telegram channel with the victim's username, password, session token, IP address, user agent, and sometimes even a screenshot of what the victim saw.

Why Telegram? Because it is encrypted, it is free, it is accessible from any device, and it requires no infrastructure to maintain. The attacker does not need to set up a command-and-control server, manage a database, or worry about their exfiltration endpoint getting taken down. Telegram channels can be shared with buyers if the attacker is selling stolen credentials in bulk.

Some kits also exfiltrate to Discord webhooks, email dead drops, or Pastebin-style services. But Telegram has become the default for its combination of convenience, encryption, and resistance to takedown requests.

How to Spot a Phishing Site in Under 10 Seconds

Now that you know how these kits work, here are five technical checks you can perform quickly before entering any credentials on a site. These work year-round, but they are especially important during the holiday shopping rush when you are clicking through more links than usual.

Check 1: Read the full domain name carefully

Do not glance at it. Actually read it. Look at every character. Is it amazon.com or arnazon.com? Is that an "l" or a "1"? Is the brand name in the subdomain or the actual domain? If the URL is amazon.security-check.com, the real domain is security-check.com, not Amazon. This single check catches the majority of phishing attempts.

Check 2: Inspect the certificate details

Click the padlock icon and view the certificate. A legitimate retailer's site will typically show an Organization (O) field with the company name, issued by a commercial certificate authority like DigiCert or Sectigo. A phishing site will show a Let's Encrypt certificate with no organization info. This is not definitive on its own (many legitimate small sites use Let's Encrypt), but combined with other signals, it is a strong indicator.

Check 3: Check the domain age

Phishing domains are almost always brand new. Run the domain through a WHOIS lookup (you can use whois.domaintools.com or just search "whois [domain]"). If the domain was registered three days ago but claims to be a major retailer, walk away. Legitimate businesses do not operate from domains registered last week.

Check 4: Look at where links actually point

Hover over buttons and links on the page without clicking. Your browser will show the destination URL in the bottom-left corner. On a cloned phishing page, many links will either point to the real site (because they were copied directly) or be broken. If the "About Us" link goes to amazon.com/about but the login form submits to arnazon-deals.com/capture, that mismatch is a dead giveaway.

Check 5: Try a fake login

If you are suspicious but not sure, enter a fake email address and a fake password. A real login system will reject invalid credentials. Many phishing kits accept anything you type and either redirect you to the real site or show a generic "your account has been secured" message. If you enter [email protected] with password 12345 and the site says "success," you are on a phishing page.

Proactive Defense: Monitor and Report

Spotting phishing sites is good. Preventing them from reaching people in the first place is better. Here are concrete steps you can take, both for yourself and for any brand you manage.

Set up Google Alerts for brand typosquats

If you run a business, create Google Alerts for common misspellings and variations of your domain name. Include character swaps, missing letters, and added words. For example, if your domain is mystore.com, set alerts for mystore-deals.com, my-store.com, mystoreonline.com, and similar variations. This will not catch everything, but it will flag some impersonation attempts early.

Services like DNSTwist and PhishFinder can automate this by generating every plausible typosquat of your domain and monitoring for registrations.

Report phishing sites to get them taken down

When you encounter a phishing site, reporting it matters. Here is where to report:

A single report can get a phishing domain blacklisted across browsers within hours. During the holidays, when these sites are popping up faster than usual, collective reporting is one of the most effective countermeasures available.

Why the Holidays Are Peak Season for Phishing

This is not a coincidence. The holiday shopping window creates the perfect conditions for phishing to thrive:

The combination of high volume, real urgency, and reduced attention creates an environment where even security-conscious people let their guard down. Attackers know this, and they time their campaigns accordingly.

The Bottom Line

A modern phishing kit is not a single trick. It is a pipeline: register a convincing domain, grab a free HTTPS certificate, clone the target site, proxy credentials through a reverse proxy to capture session tokens, and exfiltrate everything to Telegram in real time. The entire setup can be deployed in under an hour using freely available tools.

Knowing how the pipeline works makes you harder to fool. Read the full domain. Check the certificate. Verify the domain age. Hover before you click. And if something feels off, test it with fake credentials before entering real ones.

If you run a business, monitor for typosquats of your brand and report phishing sites when you find them. Every report helps shut down a kit faster and protects the next person who might have clicked.

Stay sharp this season. The deals are real, but so are the scams.