Microsoft researchers have discovered an increasing trend in the use of phishing kits to launch Adversary-in-the-Middle (AiTM) attacks. One of these kits is being offered by a threat actor named DEV-1101, which has enabled various cybercriminals to launch several high-volume phishing campaigns.
About the phishing kit
DEV-1101 began advertising its AiTM phishing kit in May 2022 through a Telegram channel and a cybercrime forum called exploit[.]in.
- The kit, which is written in NodeJS, comes with PHP reverse-proxy capabilities, automated setup, and anti-evasion techniques.
- It includes a wide range of readymade phishing pages that mimics services such as Microsoft Office and Outlook.
- In June 2022, the hacker made several enhancements to the kit with a $100 monthly licensing fee.
- Towards September 2022, DEV-11-1 added a new ability to manage servers in the kit through a Telegram bot, due to which the tool became widely popular among attackers.
Attack method
DEV-0928, one of the premium patrons of DEV-1101, used the kit to launch a phishing campaign involving over one million emails.
- The attack started with a phishing email that prompted users to click on the pdf file.
- Clicking on the pdf file redirected users to phishing pages that mimicked the login page of Microsoft.
- The kit cleverly inserts a CAPTCHA page into the phishing sequence and which hackers bypass through human-machine interaction.
Glance at AiTM attacks from the past
A BEC campaign launched in August 2022 used AiTM attacks to hack Microsoft 365 accounts belonging to corporate executives. The attackers leveraged the evilginx2 proxy phishing framework to perform the AiTM attack.
In another instance, several newly registered domains were used as a part of the AiTM campaign that targeted enterprise users of Microsoft email services.
Conclusion
As AiTM phishing attacks attempt to circumvent MFA, organizations are advised to implement additional multiple layers of security for robust protection. Continuously monitoring systems for suspicious activity also helps eliminate the attack in the initial stage.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/5310_shutterstock_1916985977.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/44dc_shutterstock_352183106.jpg)
