Microsoft Issues Warning About Widespread Usage of Phishing Kits
Because of its capacity to plan large-scale attacks, an open source adversary-in-the-middle (AiTM) phishing kit has attracted a lot of adopters in the world of cybercrime. The threat actor that created the kit is being tracked by the Threat Intelligence team under the newly coined name DEV-1101.
In a typical AiTM phishing assault, a threat actor places a proxy server in between the user and the website in an effort to collect and intercept the target’s password and session cookies. Due to their ability to get around multi-factor authentication (MFA) security measures, particularly time-based one-time passwords, such assaults are more successful (TOTPs).
An actor tracked by Microsoft as DEV-1101 develops, supports, and advertises several AiTM phishing kits, including an open-source kit capable of circumventing MFA through reverse-proxy functionality. Get technical and protection info: https://t.co/ToWvyaBfBF
— Microsoft Security Intelligence (@MsftSecIntel) March 13, 2023
According to the tech giant, DEV-1101 is the person or entity behind a number of phishing kits that other criminal actors can buy or rent, hence lowering the work and resources needed to conduct a phishing campaign.
In a technical analysis, Microsoft stated that the availability of such phishing kits for purchase by attackers is a component of the industrialization of the cybercriminal economy and lowers the barrier to entry for cybercrime.
The dual theft can occur when the stolen credentials are provided to both the phishing-as-a-service provider and their clients is another risk associated with the service-based economy that supports such services.
Since its launch in May 2022, the service has undergone a number of improvements, the most significant of which is the ability to control the servers that operate the kit using a Telegram bot. The cost of a monthly licencing fee is presently $300, and VIP licences are $1,000.
Microsoft claimed to have found a number of high-volume phishing campaigns involving millions of phishing emails each day from multiple attackers who use the tool.Among these is a group of activities known as DEV-0928, which Redmond referred to as one of “DEV-1101’s more notable clients,” and which has been connected to a phishing campaign involving more than a million emails since September 2022.
The assault sequence begins with email messages with a document theme that contain a link to a PDF document. When the receiver clicks the link, the link takes them to a login page that appears to be Microsoft’s sign-in portal, but not before prompting them to pass a CAPTCHA phase.
According to Microsoft, adding a CAPTCHA page to the phishing sequence could make it more challenging for automated systems to reach the final phishing page, but a human could do it with ease.
Despite the fact that these AiTM attacks are made to avoid MFA, it’s critical for businesses to use phishing-resistant authentication strategies, including using FIDO2 security keys, to stop shady login attempts.
Author: Sayyam Gangwal