No fewer than 1,220 Man-in-the-Middle (MitM) phishing websites have been discovered as targeting popular online services like Instagram, Google, PayPal, Apple, Twitter, and LinkedIn with the goal of hijacking users’ credentials and carrying out further follow-on attacks.
The findings come from a new study undertaken by a group of researchers from Stony Brook University and Palo Alto Networks, who have demonstrated a new fingerprinting technique that makes it possible to identify MitM phishing kits in the wild by leveraging their intrinsic network-level properties, effectively automating the discovery and analysis of phishing websites.
Dubbed “PHOCA” — named after the Latin word for “seals” — the tool not only facilitates the discovery of previously unseen MitM phishing toolkits, but also can be used to detect and isolate malicious requests coming from such servers.
Phishing toolkits aim to automate and streamline the work required by attackers to conduct credential-stealing campaigns. They are packaged ZIP files that come with ready-to-use email phishing templates and static copies of web pages from legitimate websites, allowing threat actors to impersonate the targeted entities in a bid to trick unsuspecting victims into disclosing private information.
But the increasing adoption of two-factor authentication (2FA) by online services in recent years meant that these traditional phishing toolkits can no longer be an effective method to break into accounts protected by the extra layer of security. Enter MitM phishing toolkits, which go a step further by altogether obviating the need for maintaining “realistic” web pages.
images from Hacker News