Stony Brook University worked with Palo Alto Networks to develop an internet sniffer that detects the presence of traffic unique to one specific phishing tool (out of 13 versions of 3 phishing tools). In 2018 and 2019 researchers found 200 phishing sites. The sniffer, detecting just one tool version, discovered 1,220 sites. The article provides a good description of how these phishing tools work in both the Real-Time Configuration and the Man-in-the-Middle version making it a valuable read to those unfamiliar with these tools:
“In a study published last month, academics from Stony Brook University and security firm Palo Alto Networks said they analyzed 13 versions of these three MitM phishing toolkits and created fingerprints for the web traffic that goes through one of these tools.
They used their findings to develop a tool called PHOCA that could detect if a phishing site was using a reverse proxy—a clear sign that the attacker was trying to bypass 2FA and collect authentication cookies rather than credentials alone.
The researchers said they fed PHOCA with URLs reported by the cybersecurity community as phishing sites between March 2020 and March 2021 and found that 1,220 of these sites were using MitM phishing toolkits.
The number is a significant jump from the roughly 200 phishing sites running reverse proxies that were active in late 2018 and early 2019, according to stats provided at the time to this reporter by late RiskIQ researcher Yonathan Klijnsma.
This rise shows that these tools, and MitM phishing kits in general, have slowly gained in popularity among the cybercrime ecosystem.”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group