Phishing schemes fool even careful people. Deceptive messages lead their victims to a website that looks like a legitimate login page for a well-known website. The victim thinks it's the real site and enters a username and password. The password goes to a server run by criminals, where they can use it later on. Meanwhile, the fake site redirects the target to the real site. It may display a message such as "Invalid login, try again." The victim shrugs, tries again, and logs in. It works as if there had never been anything wrong beyond a slip of the fingers.
Where do these fake pages live? Sometimes they are on servers belonging to the thieves. However, they get blocked if they keep it up for long. A more devious approach is to infiltrate a legitimate site and place the page there. It doesn't do anything obviously harmful by itself. It just accepts some user input and redirects the user to another site.
Making the scam work requires several steps that aren't easy. The first step is to create malware that can get access to a target site. Then it's necessary to create a convincing imitation of a legitimate login page. The URL needs to be disguised so that it seems valid at a quick glance. A server needs to be set up to collect personal information.
Unfortunately, they can save steps by buying a
phishing kit on Dark Web sites. The kit provides them with convincing fake pages, which they can upload once they've penetrated a site. These pages not only look like the real thing but collect passwords, credit card numbers, and other confidential information which the victims enter.
The kit
doesn't affect the existing pages on the target site, so the site looks normal to regular users. It's only people who follow the link from an email message who will see the bogus page. Unless the site owner scans for files that shouldn't be there or abnormal traffic, the infiltration could go unnoticed. If it isn't removed, eventually the site will be blacklisted for hosting a phishing page.
Some phishing kits do other tasks as well, such as sending out email messages to lure people in. Gaining access to the site is usually a separate operation, done by a
backdoor or by acquiring an administrator password.