DEV-1101 is an emerging threat actor in the cybercrime world. This party is behind the development of an open source adversary-in-the-middle (AiTM) phishing kit. This kit has the ability to orchestrate attacks at scale and has found a number of takers in the cybercrime world. The open source kit from DEV-1101 comes with features that make it possible to set up phishing landing pages mimicking Microsoft Office and Outlook, not to mention manage campaigns from mobile devices and even use CAPTCHA checks to evade detection.
An AiTM phishing attack typically involves a threat actor attempting to steal and intercept a target's password and session cookies by deploying a proxy server between the user and the website. Such attacks are more effective owing to their ability to circumvent multi-factor authentication (MFA) protections. The service-based economy that fuels such offerings can also result in double theft, wherein the stolen credentials are sent to both the phishing-as-a-service provider as well as their customers.
Microsoft Threat Intelligence is tracking the threat actor behind the development of the kit under its emerging moniker DEV-1101. "The availability of such phishing kits for purchase by attackers is part of the industrialization of the cybercriminal economy and lowers the barrier of entry for cybercrime," Microsoft said in a technical report.
Cybercrime is a growing problem in our increasingly digital world. The industrialization of the cybercriminal economy, as Microsoft puts it, is making it easier than ever for would-be criminals to get started in the business. The availability of phishing kits like the one developed by DEV-1101 is a perfect example of this. Such kits lower the barrier to entry for cybercrime, making it possible for anyone with the means to purchase one to launch a phishing campaign.
AiTM phishing attacks are particularly dangerous because they can circumvent MFA protections. These attacks work by deploying a proxy server between the user and the website. This allows the threat actor to intercept passwords and session cookies. The service-based economy that fuels such offerings can also result in double theft, wherein the stolen credentials are sent to both the phishing-as-a-service provider as well as their customers.
Microsoft is aware of the problem and is tracking the threat actor behind the development of the kit under its emerging moniker DEV-1101. In a technical report, the company said, "The availability of such phishing kits for purchase by attackers is part of the industrialization of the cybercriminal economy and lowers the barrier of entry for cybercrime."