The Bluekit phishing-as-a-service (PhaaS) platform has significantly upgraded its toolkit by integrating a real-time "browser-in-the-middle" (BitM) proxy. This technique allows the service to hijack authenticated sessions in real time, effectively bypassing widely used multi-factor authentication (MFA) methods like SMS codes and standard authenticator apps.
Analysis from BleepingComputer reveals Bluekit's infrastructure is rapidly expanding, with security researchers identifying nearly 70 new malicious hostnames in just the past week. This growth highlights the scalable, subscription-based nature of modern PhaaS, which puts sophisticated attack capabilities into the hands of more cybercriminals.
The critical innovation is the BitM proxy's operation. Instead of simply capturing static login credentials, it acts as a live relay. When a victim enters details into a fraudulent login page, the proxy immediately forwards the request to the legitimate service. This allows the attacker to capture the victim's password and the one-time MFA code at the moment it is generated and entered, hijacking the fully authenticated session.
This development invalidates the security assumption for many organizations. SMS-based one-time passwords (OTPs) and time-based codes from standard authenticator apps are now demonstrably ineffective against this class of live proxy attacks. Because the phishing page can be a perfect visual replica, users are unlikely to detect the compromise during login.
For sectors in Hong Kong, such as finance and technology, where regulatory frameworks often mandate MFA, this presents an urgent operational challenge. The threat moves from theoretical to immediate, requiring a strategic response in security planning.
Security experts strongly advocate for a decisive shift toward phishing-resistant authentication standards. Protocols like FIDO2 and WebAuthn use cryptographic keys that are cryptographically bound to legitimate website domains. This binding inherently defeats real-time relay attacks like BitM, as the authentication cannot be successfully forwarded to a malicious site.
Consequently, organizations are urged to immediately prioritize deploying hardware security keys or device-bound passkeys for privileged accounts and critical systems. Alongside this, developing a phased plan to deprecate SMS and standard TOTP MFA for high-risk user groups is becoming a necessity, despite potential usability hurdles during transition.
Furthermore, security operations must evolve their detection focus. Monitoring should expand beyond identifying fake login pages to detecting network-level indicators of BitM infrastructure. This includes hunting for anomalous traffic to newly registered domains, irregular session token behavior, and metadata mismatches that signal an intermediary proxy.
The Bluekit update underscores a critical escalation in the phishing arms race. As attackers productize advanced bypass techniques, defenders must accelerate the adoption of cryptographically strong, phishing-resistant authentication and enhance detection targeting the underlying attack infrastructure itself. For Hong Kong's organizations, accelerating these plans is no longer discretionary—it is an immediate priority.
Bluekit 釣魚即服務(PhaaS)平台透過整合即時「瀏覽器中間人」(BitM)代理,顯著升級了其工具包。此技術讓該服務能即時劫持已認證的會話,有效繞過廣泛使用的多重驗證方法,例如短訊驗證碼和標準認證器應用程式。
BleepingComputer 的分析顯示,Bluekit 的基礎設施正迅速擴張,安全研究人員在過去一周內識別出近70個新的惡意主機名稱。此增長凸顯了現代 PhaaS 可擴展、基於訂閱的特性,使更多網絡罪犯得以獲取精密的攻擊能力。
關鍵創新在於 BitM 代理的運作方式。它並非單純擷取靜態登入憑證,而是充當一個即時中繼。當受害者在偽造的登入頁面輸入詳情時,代理會立即將請求轉發至合法服務。這使得攻擊者能在受害者生成並輸入一次性驗證碼時,同時擷取其密碼及該驗證碼,從而劫持完全認證的會話。
此發展動搖了許多組織對安全的假設。基於短訊的一次性密碼(OTPs)以及來自標準認證器應用程式的時間生成碼,現已被證實對此類即時代理攻擊無效。由於釣魚頁面可以是完美的視覺複製品,用戶在登入過程中很可能無法察覺已被入侵。
對香港的金融和科技等行業而言,監管框架通常要求實施多重驗證,這帶來了緊迫的運營挑戰。威脅已從理論層面迫近至即時,需要在安全規劃上作出戰略回應。
安全專家強烈主張應果斷轉向抗釣魚的認證標準。像 FIDO2 和 WebAuthn 這樣的協議使用與合法網站域名密碼學綁定的密鑰。這種綁定從本質上擊敗了像 BitM 這樣的即時中繼攻擊,因為認證無法被成功轉發至惡意網站。
因此,組織被敦促立即將部署硬件安全密鑰或設備綁定通行密鑰,用於特權賬戶和關鍵系統,列為優先事項。同時,儘管過渡期間可能存在可用性障礙,但制定分階段計劃,逐步淘汰針對高風險用戶群體的短訊及標準 TOTP 多重驗證,已成為必要之舉。
此外,安全運營必須演進其檢測重點。監控範圍應擴展到不僅識別偽造登入頁面,還要檢測 BitM 基礎設施的網絡層指標。這包括搜尋流向新註冊域名的異常流量、不尋常的會話代幣行為,以及表明存在中介代理的元數據不匹配現象。
Bluekit 的更新突顯了釣魚軍備競賽的一次關鍵升級。當攻擊者將高級繞過技術產品化時,防禦者必須加速採用密碼學強度高、抗釣魚的認證技術,並加強針對底層攻擊基礎設施本身的檢測能力。對香港的組織而言,加速這些計劃不再是可選項——而是當務之急。