How the Scam Works
How the Scam Works
Typical scams usually trick people by copying a website page
or passing internet data back and forth. Bluekit changes this approach by using
an attack method called Browser-in-the-Middle (BitM).
According to Netcraft researchers, the system loads the real
login page, like a Microsoft login,
inside a browser that the hackers control. An open-source software tool called
rrweb then “records and streams live DOM interactions” to the victim over a
WebSocket connection, researchers explained.
Further investigation revealed that the victim sees a real,
working page instead of a simple picture or video stream. When the target types
their details or clicks on buttons, those actions go right into the hacker’s
browser. The victim thinks they are logging in normally, but they are actually
opening their account inside the hacker’s computer.
Passing the Security Tests
Before showing the fake
login page, the system runs a series of tests to block security tools.
Netcraft’s research,
shared exclusively with Hackread.com, highlighted that Bluekit uses a “layered
evasion architecture designed to prevent automated detection” from safety
systems.
“Bluekit operates in two distinct phases: a pre-engagement
evasion phase designed to distinguish human victims from automated scanners,
and a delivery phase in which the BitM technique is executed,” the blog
post reads.
The attack sequence shows that when a victim loads the scam
link, the system runs more than 20 bot checks. It looks at computer details
like RAM, screen size, and browser language. Using WebRTC technology, it
connects to a STUN server to check a user’s web settings.
Now, the hackers can see if a visitor is using a proxy or
a VPN to
hide their identity, and if it is a real person, a fake safety check page
or CAPTCHA appears
that often copies big names like Cloudflare to trick the user.
Why This Tool Differs
Hackers love this new setup because it helps them bypass
extra security steps. With older tools like Evilginx,
stealing an active session and moving it to a new computer could trigger a
safety alarm due to a mismatch in browser details.
With Bluekit, the session starts on the hacker’s machine
from the very beginning. This means the browser details never change, making it
much harder for security systems to spot the trick. Researchers noted that the
tool creates a very smooth experience for the victim with no bad quality
issues, though a slight lag in mouse clicks might be the only giveaway. Since
this platform is now fully live, users must remain cautious even when a login
page looks completely genuine
Comments
Post a Comment