Researchers Demonstrate New Way to Detect MITM Phishing Kits in the Wild

November 16, 2021 Off By administrator

No fewer than 1,220 Man-in-the-Middle (MitM) phishing websites have been discovered as targeting popular online services like Instagram, Google, PayPal, Apple, Twitter, and LinkedIn with the goal of hijacking users’ credentials and carrying out further follow-on attacks.

The findings come from a new study undertaken by a group of researchers from Stony Brook University and Palo Alto Networks, who have demonstrated a new fingerprinting technique that makes it possible to identify MitM phishing kits in the wild by leveraging their intrinsic network-level properties, effectively automating the discovery and analysis of phishing websites.

Dubbed “PHOCA” — named after the Latin word for “seals” — the tool not only facilitates the discovery of previously unseen MitM phishing toolkits, but also be used to detect and isolate malicious requests coming from such servers.

Automatic GitHub Backups

Phishing toolkits aim to automate and streamline the work required by attackers to conduct credential-stealing campaigns. They are packaged ZIP files that come with ready-to-use email phishing templates and static copies of web pages from legitimate websites, allowing threat actors to impersonate the targeted entities in a bid to trick unsuspecting victims into disclosing private information.

But the increasing adoption of two-factor authentication (2FA) by online services in recent years meant that these traditional phishing toolkits can no longer be an effective method to break into accounts protected by the extra layer of security. Enter MitM phishing toolkits, which go a step further by altogether obviating the need for maintaining “realistic” web pages.

MITM Phishing Toolkits

A MitM phishing kit enables fraudsters to sit between a victim and an online service. Rather than setting up a bogus website that’s distributed via spam emails, the attackers deploy a fraudulent website that mirrors the live content of the target website and acts as a conduit to forward requests and responses between the two parties in real-time, thus permitting the extraction of credentials and session cookies from 2FA-authenticated accounts.

“They function as reverse proxy servers, brokering communication between victim users and target web servers, all while harvesting sensitive information from the network data in transit,” Stony Brook University researchers Brian Kondracki, Babak Amin Azad, Oleksii Starov, and Nick Nikiforakis said in an accompanying paper.

The method devised by the researchers involves a machine learning classifier that utilizes network-level features such as TLS fingerprints and network timing discrepancies to classify phishing websites hosted by MitM phishing toolkits on reverse proxy servers. It also entails a data-collection framework that monitors and crawls suspicious URLs from open-source phishing databases like OpenPhish and PhishTank, among others.

Prevent Data Breaches

The core idea is to measure the round-trip time (RTT) delays that arise out of placing a MitM phishing kit, which, in turn, increases the duration…

(Excerpt) To read the full article , click here
Image credit: source