Ddos 
An example of what the victim and attacker would see | Source: SlashNext
Cybersecurity researchers at SlashNext have discovered a sophisticated new phishing kit dubbed “Astaroth” that is capable of bypassing two-factor authentication (2FA) and targeting a wide range of online accounts, including Gmail, Yahoo, AOL, Microsoft 365, and various third-party login services.
Astaroth distinguishes itself from traditional phishing kits by not only stealing login credentials but also capturing 2FA tokens and session cookies in real-time, allowing attackers to completely bypass 2FA. This is achieved through an evilginx-style reverse proxy, which intercepts and manipulates traffic between the victim and the legitimate authentication service.
“Astaroth utilizes an evilginx-style reverse proxy to intercept and manipulate traffic between victims and legitimate authentication services like Gmail, Yahoo, and Microsoft,” the report explains. “Acting as a man-in-the-middle, it captures login credentials, tokens, and session cookies in real-time, effectively bypassing 2FA.”
The attack begins when a victim clicks on a phishing URL, which redirects them to a malicious server disguised as the legitimate login page. The server captures the victim’s login credentials, 2FA token, and session cookies before forwarding the request to the legitimate server. The attacker can then use the stolen session cookie to log in to the victim’s account without needing any further credentials.
“The final step involves capturing session cookies, which are issued by the legitimate server after successful authentication,” the report states. “Astaroth intercepts and delivers them to the attacker, who can inject them into their browser using manual header modifications or tools like Burp Suite. This bypasses 2FA entirely – no further credentials are needed, as the session is already authenticated.”
Astaroth also includes several features designed to enhance its effectiveness and longevity, such as custom hosting options like bulletproof hosting to resist takedown attempts. The kit is sold for $2,000 for six months of updates, and the seller even offers testing before purchase to build trust.
While 2FA is still an important security measure, it is not foolproof. Users should be cautious of clicking on links from unknown senders and always double-check the URL of the login page before entering their credentials.
Related Posts:
About The Author
