An open source Adversary-in-The-Middle (AiTM) phishing kit has found new users in the cybercrime world for its ability to make cyberattacks at scale. Microsoft Threat Intelligence is tracking the threat actor behind the development of the kit under its emerging name DEV-1101. An AiTM phishing attack typically involves a threat actor attempting to steal and intercept a target's password and session cookies by deploying a proxy server between the user and the website.
Such attacks are more effective owing to their ability to circumvent multi-factor authentication (MFA) protections. DEV-1101, per MS, is said to be the party behind several phishing kits that can be purchased or rented by other criminal actors, thereby reducing the effort and resources required to launch a phishing campaign. "The availability of such phishing kits for purchase by attackers is part of the industrialization of the cybercriminal economy and lowers the barrier of entry for cybercrime," a Microsoft researcher noted in a technical report.
The service-based economy that fuels such offerings can also result in double theft, wherein the stolen credentials are sent to both the Phishing-as-a-Service (PaaS) provider as well as their customers. The open source kit from DEV-1101 comes with features that make it possible to set up phishing landing pages mimicking Microsoft Office and Outlook, and even manage campaigns from mobile devices and even use CAPTCHA checks to evade detection.
The service, since its debut in May 2022, has undergone several enhancements, chief among them being the ability to manage servers running the kit through a Telegram bot. It currently has a price tag of $300 for a monthly licensing fee, with VIP licenses costing $1,000.
DEV-1101 began advertising its AiTM phishing kit in May 2022 through a Telegram channel and a cybercrime forum called exploit[.]in.
- The kit, which is written in NodeJS, comes with PHP reverse-proxy capabilities, automated setup, and anti-evasion techniques.
- It includes a wide range of readymade phishing pages that mimics services such as Microsoft Office and Outlook.
- In June 2022, the hacker made several enhancements to the kit with a $100 monthly licensing fee.
- Towards September 2022, DEV-11-1 added a new ability to manage servers in the kit through a Telegram bot, due to which the tool became widely popular among attackers.
Microsoft said it has detected numerous high-volume phishing campaigns spanning millions of phishing emails per day from various actors that leverage the tool. This includes an activity cluster named DEV-0928 that MS described as one of "DEV-1101's more prominent patrons" and which has been linked to a phishing campaign comprising over one million emails since September 2022. The attack sequence begins with document-themed email messages containing a link to a PDF document
DEV-0928, one of the premium patrons of DEV-1101, used the kit to launch a phishing campaign involving over one million emails.
- The attack started with a phishing email that prompted users to click on the pdf file.
- Clicking on the pdf file redirected users to phishing pages that mimicked the login page of Microsoft.
- The kit cleverly inserts a CAPTCHA page into the phishing sequence and which hackers bypass through human-machine interaction.
Although these AiTM attacks are designed to bypass MFA, it's crucial that organizations adopt phishing-resistant authentication methods, such as using FIDO2 security keys, to block suspicious login attempts.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
source: https://thehackernews.com/2023/03/microsoft-warns-of-large-scale-use-of.html
Comments