No fewer than 1,220 Man-in-the-Middle (MitM) phishing websites have been discovered as targeting popular online services like Instagram, Google, PayPal, Apple, Twitter, and LinkedIn with the goal of hijacking users’ credentials and carrying out further follow-on attacks.
The findings come from a new study undertaken by a group of researchers from Stony Brook University and Palo Alto Networks, who have demonstrated a new fingerprinting technique that makes it possible to identify MitM phishing kits in the wild by leveraging their intrinsic network-level properties, effectively automating the discovery and analysis of phishing websites.
Dubbed “PHOCA” — named after the Latin word for “seals” — the tool not only facilitates the discovery of previously unseen MitM phishing toolkits, but also can be used to detect and isolate malicious requests coming from such servers.
Phishing toolkits aim to automate and streamline the work required by attackers to conduct credential-stealing campaigns. They are packaged ZIP files that come with ready-to-use email phishing templates and static copies of web pages from legitimate websites, allowing threat actors to impersonate the targeted entities in a bid to trick unsuspecting victims into disclosing private information.
But the increasing adoption of two-factor authentication (2FA) by online services in recent years meant that these traditional phishing toolkits can no longer be an effective method to break into accounts protected by the extra layer of security. Enter MitM phishing toolkits, which go a step further by altogether obviating the need for maintaining “realistic” web pages.
A MitM phishing toolkit enables fraudsters to sit between a victim and an online service. Rather than setting up a bogus website that’s distributed via spam emails, the attackers deploy a counterfeit website that mirrors the live content of the target website and acts as a conduit to forward requests and responses between the two parties in real-time, thus permitting the extraction of credentials and session cookies from 2FA-authenticated accounts.
“They function as reverse proxy servers, brokering communication between victim users and target web servers, all while harvesting sensitive information from the network data in transit,” Stony Brook University researchers Brian Kondracki, Babak Amin Azad, Oleksii Starov, and Nick Nikiforakis said in an accompanying paper.
The method devised by the researchers involves a machine learning classifier that utilizes network-level features such as TLS fingerprints and network timing discrepancies to classify phishing websites hosted by MitM phishing toolkits on reverse proxy servers. It also entails a data-collection framework that monitors and crawls suspicious URLs from open-source phishing databases like OpenPhish and PhishTank, among others.
The core idea is to measure the round-trip time (RTT) delays that arise out of placing a MitM phishing kit, which, in turn, increases the duration from when the victim browser sends a request to when it receives a response from the target server owing to the fact that the reverse proxy mediates the communication sessions.
“As two distinct HTTPS sessions must be maintained to broker communication between the victim user and target web server, the ratio of various packet RTTs, such as a TCP SYN/ACK request and HTTP GET request, will be much higher when communicating with a reverse proxy server than with an origin web server directly,” the researchers explained. “This ratio is further magnified when the reverse proxy server intercepts TLS requests, which holds true for MitM phishing toolkits.”
In an experimental evaluation that lasted 365 days between March 25, 2020 and March 25, 2021, the study uncovered a total of 1,220 sites as operated using MitM phishing kits that were scattered primarily across the U.S. and Europe, and relied on hosting services from Amazon, DigitalOcean, Microsoft, and Google. Some of the brands that were most targeted by such kits include Instagram, Google, Facebook, Microsoft Outlook, PayPal, Apple, Twitter, Coinbase, Yahoo, and LinkedIn.
“PHOCA can be directly integrated into current web infrastructure such as phishing blocklist services to expand their coverage on MitM phishing toolkits, as well as popular websites to detect malicious requests originating from MitM phishing toolkits,” the researchers said, adding that uniquely identifying MitM phishing toolkits can “enhance the ability of web-service providers to pinpoint malicious login requests and flag them before authentication is completed.”