Stay aware: Phishing kits to send millions of emails

Dev1101 is the emerging threat actor deployed to sell and team up the game for phishing attempts on a large scale.

Microsoft stated: “AiTM phishing is capable of circumventing multifactor authentication (MFA) through reverse-proxy functionality. DEV-1101 is an actor tracked by Microsoft responsible for the development, support, and advertising of several AiTM phishing kits, which other cybercriminals can buy or rent. The availability of such phishing kits for purchase by attackers is part of the industrialization of the cybercriminal economy and lowers the barrier of entry for cybercrime.”

An actor tracked by Microsoft as DEV-1101 develops, supports, and advertises several AiTM phishing kits, including an open-source kit capable of circumventing MFA through reverse-proxy functionality. Get technical and protection info: https://t.co/ToWvyaBfBF

— Microsoft Security Intelligence (@MsftSecIntel) March 13, 2023

Dev 1101 tool promotion

The campaign was promoted on a notable cybercrime channel on Telegram. The advertisement describes the AiTM kit as a phishing application written in NodeJS with PHP reverse-proxy capabilities, automated setup, detection evasion through an antibot database, management of phishing activity through Telegram bots, and a wide range of ready-made phishing pages mimicking services such as Microsoft Office or Outlook.

Due to the rapid increase in its demand the price and availability shot up. The attack was purpose-based and proved a greater success for the intruders.

Microsoft says: “The kit also allows threat actors to use CAPTCHA to evade detection. Inserting a CAPTCHA page into the phishing sequence could make it more difficult for automated systems to reach the final phishing page, while a human could easily click through to the next page.”

How does AiTM work?

An AiTM phishing attack typically involves 

• a threat actor attempting to steal and intercept a target’s password and session cookies by deploying a proxy server between the user and the website.

Adversaries behind the AiTM network force a device

• To communicate through a controlled system to collect information through deceit. They abuse networking protocols like ARP, DNS, LLM, NR, and more.
• To leverage the AiTM position to attempt to monitor or modify traffic, such as in Transmitted Data Manipulation. 
• To set up a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to Impair Defenses and/or in support of a Network Denial of Service.

DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit https://t.co/lS6PnOoV2w pic.twitter.com/BhEo9z5A1a

— The Onyx IT Group (@TheOnyxITGroup) March 13, 2023

Mitigate the damage

MITRE has advised certain measures which can be helpful to mitigate AiTM phishing attacks:

• Disabling network legacy programs
• Ensure that all wired and/or wireless traffic is encrypted appropriately. 
• Filter network traffic
• Limit Access to Resource Over Network
• Network Intrusion Prevention
• Network segmentation to isolate infrastructure components
• User training 

Ending note

With improved versions of malware and phishing techniques, it has become very difficult to bypass cipher attacks. The only thing one can do is use phishing-resistant methods, security keys, and prudence to avoid getting into the trap. 

Also, keeping yourself updated about the vulnerabilities around the world is a way forward to knowing how to avoid compromising your online presence.