Cybersecurity researchers have detailed a brand new adversary-in-the-middle (AitM) phishing equipment that is able to Microsoft 365 accounts with an purpose to steal credentials and two-factor authentication (2FA) codes since at the least October 2024.
The nascent phishing equipment has been dubbed Sneaky 2FA by French cybersecurity firm Sekoia, which detected it within the wild in December. Almost 100 domains internet hosting Sneaky 2FA phishing pages have been recognized as of this month, suggesting average adoption by risk actors.
“This kit is being sold as phishing-as-a-service (PhaaS) by the cybercrime service ‘Sneaky Log,’ which operates through a fully-featured bot on Telegram,” the corporate stated in an evaluation. “Customers reportedly receive access to a licensed obfuscated version of the source code and deploy it independently.”
Phishing campaigns have been noticed sending fee receipt-related emails to entice recipients into opening bogus PDF paperwork containing QR code that, upon scanning, redirects them to Sneaky 2FA pages.
Sekoia stated the phishing pages are hosted on compromised infrastructure, principally involving WordPress web sites and different domains managed by the attacker. The faux authentication pages are designed to routinely populate the sufferer’s e-mail deal with to raise their legitimacy.
The equipment additionally boasts of a number of anti-bot and anti-analysis measures, using methods like site visitors filtering and Cloudflare Turnstile challenges to make sure that solely victims who meet sure standards are directed to the credential harvesting pages. It additional runs a sequence of checks to detect and resist evaluation makes an attempt utilizing net browser developer instruments.
A notable facet of the PhaaS is that web site guests whose IP deal with originates from a knowledge middle, cloud supplier, bot, proxy, or VPN are directed to a Microsoft-related Wikipedia web page utilizing the href[.]li redirection service. This has led TRAC Labs to provide it the identify WikiKit.
“The Sneaky 2FA phishing kit employs several blurred images as the background for its fake Microsoft authentication pages,” Sekoia defined. “By using screenshots of legitimate Microsoft interfaces, this tactic is intended to deceive users into authenticating themselves to gain access to the blurred content.”
Additional investigation has revealed that the phishing equipment depends on a examine with a central server, probably the operator, that makes positive that the subscription is lively. This means that solely clients with a sound license key can use Sneaky 2FA to conduct phishing campaigns. The equipment is marketed for $200 per 30 days.
That is not all. Supply code references have additionally been unearthed pointing to a phishing syndicate named W3LL Retailer, which was beforehand uncovered by Group-IB in September 2023 as behind a phishing equipment referred to as W3LL Panel and varied instruments for conducting enterprise e-mail compromise (BEC) assaults.
This, together with similarities within the AitM relay implementation, has additionally raised the chance that Sneaky 2FA could also be based mostly on the W3LL Panel. The latter additionally operates beneath an identical licensing mannequin that requires periodic checks with a central server.
In an attention-grabbing twist, among the Sneaky 2FA domains had been beforehand related to identified AitM phishing kits, reminiscent of Evilginx2 and Greatness – a sign that at the least a couple of cyber criminals have migrated to the brand new service.
“The phishing kit uses different hardcoded User-Agent strings for the HTTP requests depending on the step of the authentication flow,” Sekoia researchers stated. “This behavior is rare in legitimate user authentication, as a user would have to perform successive steps of the authentication from different web browsers.”
“While User-Agent transitions occasionally happen in legitimate situations (e.g., authentication initiated in desktop applications that launch a web browser or WebView to handle MFA), the specific sequence of User-Agents used by Sneaky 2FA does not correspond to a realistic scenario, and offers a high-fidelity detection of the kit.”
