#aitm — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #aitm, aggregated by home.social.
-
@eelcoa : helaas is het allemaal niet zo simpel.
DigiD is beslist niet perfect. En het is absurd als het in handen van een bedrijf, dat aan de VS-wetgeving moet voldoen, valt.
Een niet te onderschatten voordeel van DigiD is dat de server(s) van de partij waar de burger wil inloggen (zoals abp.nl), aan allerlei beveiligingseisen moeten voldoen (en zo'n server met de server(s) van DigiD communiceert).
Als je online authenticatie op (servers van) willekeurige partijen toestaat, zullen AitM (Attacker in the Middle) aanvallen een groot probleem worden (phishing vormt nu al een gigantisch probleem).
Voor betrouwbare authenticatie is het noodzakelijk dat degene die bewijst te zijn wie zij/hij zegt te zijn, de authenticeerder kan vertrouwen. Dat begint ermee dat *jij* weet *wie* de verifieerder is.
In https://tweakers.net/nieuws/204138/nederland-krijgt-een-paspoort-voor-op-internet-hoe-gaat-dat-werken.html#r_18249704 en verder vind je een discussie die ik had met Ivo Jansch (EDIW) en verderop "denan" (IRMA/Yivi). Nb. mijn Tweakers account is afgesloten na ruzie met een vervelende moderator.
Interessant, uit https://yivi.app/privacy_and_security/:
❝
Raak je je telefoon kwijt? Dan kun je in een mum van tijd je Yivi-app blokkeren via Mijn Yivi.
❞
Dat lijkt mij onmogelijk zonder tussenkomst van een centrale server tijdens inloggen.
-
Alternatively, use the NoScript plugin (Firefox on Android and desktop operating systems) and do not trust (default behaviour is to block, explicit blocking is possible too) Cloudflare.
Note that this method does not prevent Cloudflare from knowing your IP-address, but effectively this tells them that they suck if you do not enable their invasive JavaScript code "to detetmine whether the connection is safe".
A connection that is actually very much NOT safe; there's an Attacker in the Middle spying on everything bit exchanged if you continue. They even collect every password you enter on websites proxied by Cloudflare (https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/).
-
Alternatively, use the NoScript plugin (Firefox on Android and desktop operating systems) and do not trust (default behaviour is to block, explicit blocking is possible too) Cloudflare.
Note that this method does not prevent Cloudflare from knowing your IP-address, but effectively this tells them that they suck if you do not enable their invasive JavaScript code "to detetmine whether the connection is safe".
A connection that is actually very much NOT safe; there's an Attacker in the Middle spying on everything bit exchanged if you continue. They even collect every password you enter on websites proxied by Cloudflare (https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/).
-
Alternatively, use the NoScript plugin (Firefox on Android and desktop operating systems) and do not trust (default behaviour is to block, explicit blocking is possible too) Cloudflare.
Note that this method does not prevent Cloudflare from knowing your IP-address, but effectively this tells them that they suck if you do not enable their invasive JavaScript code "to detetmine whether the connection is safe".
A connection that is actually very much NOT safe; there's an Attacker in the Middle spying on everything bit exchanged if you continue. They even collect every password you enter on websites proxied by Cloudflare (https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/).
-
Alternatively, use the NoScript plugin (Firefox on Android and desktop operating systems) and do not trust (default behaviour is to block, explicit blocking is possible too) Cloudflare.
Note that this method does not prevent Cloudflare from knowing your IP-address, but effectively this tells them that they suck if you do not enable their invasive JavaScript code "to detetmine whether the connection is safe".
A connection that is actually very much NOT safe; there's an Attacker in the Middle spying on everything bit exchanged if you continue. They even collect every password you enter on websites proxied by Cloudflare (https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/).
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
Pulse ID: 69fd6a90ea09bac209a0af4a
Pulse Link: https://otx.alienvault.com/pulse/69fd6a90ea09bac209a0af4a
Pulse Author: Tr1sa111
Created: 2026-05-08 04:46:08Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
Pulse ID: 69fd6ab1d93fddbc4eca0a5a
Pulse Link: https://otx.alienvault.com/pulse/69fd6ab1d93fddbc4eca0a5a
Pulse Author: Tr1sa111
Created: 2026-05-08 04:46:41Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
Pulse ID: 69fd6ace7eb0b90ae5e0bad1
Pulse Link: https://otx.alienvault.com/pulse/69fd6ace7eb0b90ae5e0bad1
Pulse Author: Tr1sa111
Created: 2026-05-08 04:47:10Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails
A sophisticated credential theft campaign targeting over 35,000 users across 13,000 organizations was observed between April 14-16, 2026. The operation primarily impacted the United States, particularly healthcare and financial services sectors. Attackers used code of conduct themed phishing emails masquerading as internal compliance communications, sent through legitimate email delivery services from attacker-controlled domains. Victims received polished HTML emails with PDF attachments containing fake disciplinary logs and CAPTCHA gates to evade automated analysis. The multi-stage attack chain ultimately directed users to counterfeit Microsoft authentication pages operating as adversary-in-the-middle infrastructure, enabling real-time interception of credentials and session tokens while bypassing multi-factor authentication defenses.
Pulse ID: 69fb1736879a4a945346b9ba
Pulse Link: https://otx.alienvault.com/pulse/69fb1736879a4a945346b9ba
Pulse Author: AlienVault
Created: 2026-05-06 10:25:58Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AdversaryInTheMiddle #AitM #CAPTCHA #CyberSecurity #Email #HTML #Healthcare #InfoSec #Microsoft #OTX #OpenThreatExchange #PDF #Phishing #RAT #RCE #Troll #UnitedStates #bot #AlienVault
-
Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise
Pulse ID: 69fabb38dc54c806b7504109
Pulse Link: https://otx.alienvault.com/pulse/69fabb38dc54c806b7504109
Pulse Author: Tr1sa111
Created: 2026-05-06 03:53:28Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111
-
Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise | Microsoft Security Blog
Pulse ID: 69f9fbfae3ba66bbf5cff9d8
Pulse Link: https://otx.alienvault.com/pulse/69f9fbfae3ba66bbf5cff9d8
Pulse Author: CyberHunter_NL
Created: 2026-05-05 14:17:30Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AitM #CyberSecurity #InfoSec #Microsoft #OTX #OpenThreatExchange #Phishing #bot #CyberHunter_NL
-
Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise
A sophisticated large-scale credential theft campaign targeted over 35,000 users across 13,000 organizations, primarily in the United States, between April 14-16, 2026. Attackers distributed fully authenticated emails from legitimate services using code of conduct-themed lures with polished HTML templates. The multi-stage attack chain included PDF attachments with embedded links, multiple CAPTCHA challenges, and intermediate staging pages designed to appear legitimate while filtering automated defenses. Recipients were directed through several layers ultimately leading to an adversary-in-the-middle phishing flow that proxied authentication sessions and captured tokens, bypassing non-phishing-resistant multifactor authentication. The campaign broadly impacted Healthcare, Financial services, Professional services, and Technology industries, using social engineering techniques that created urgency through time-bound prompts and concerning accusations.
Pulse ID: 69f8f1230f0bda494499b941
Pulse Link: https://otx.alienvault.com/pulse/69f8f1230f0bda494499b941
Pulse Author: AlienVault
Created: 2026-05-04 19:18:59Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AdversaryInTheMiddle #AitM #CAPTCHA #CyberSecurity #Email #HTML #Healthcare #InfoSec #MultiFactorAuthentication #OTX #OpenThreatExchange #PDF #Phishing #SocialEngineering #UnitedStates #bot #AlienVault
-
Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise
A sophisticated large-scale credential theft campaign targeted over 35,000 users across 13,000 organizations, primarily in the United States, between April 14-16, 2026. Attackers distributed fully authenticated emails from legitimate services using code of conduct-themed lures with polished HTML templates. The multi-stage attack chain included PDF attachments with embedded links, multiple CAPTCHA challenges, and intermediate staging pages designed to appear legitimate while filtering automated defenses. Recipients were directed through several layers ultimately leading to an adversary-in-the-middle phishing flow that proxied authentication sessions and captured tokens, bypassing non-phishing-resistant multifactor authentication. The campaign broadly impacted Healthcare, Financial services, Professional services, and Technology industries, using social engineering techniques that created urgency through time-bound prompts and concerning accusations.
Pulse ID: 69f8f1230f0bda494499b941
Pulse Link: https://otx.alienvault.com/pulse/69f8f1230f0bda494499b941
Pulse Author: AlienVault
Created: 2026-05-04 19:18:59Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AdversaryInTheMiddle #AitM #CAPTCHA #CyberSecurity #Email #HTML #Healthcare #InfoSec #MultiFactorAuthentication #OTX #OpenThreatExchange #PDF #Phishing #SocialEngineering #UnitedStates #bot #AlienVault
-
Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise
A sophisticated large-scale credential theft campaign targeted over 35,000 users across 13,000 organizations, primarily in the United States, between April 14-16, 2026. Attackers distributed fully authenticated emails from legitimate services using code of conduct-themed lures with polished HTML templates. The multi-stage attack chain included PDF attachments with embedded links, multiple CAPTCHA challenges, and intermediate staging pages designed to appear legitimate while filtering automated defenses. Recipients were directed through several layers ultimately leading to an adversary-in-the-middle phishing flow that proxied authentication sessions and captured tokens, bypassing non-phishing-resistant multifactor authentication. The campaign broadly impacted Healthcare, Financial services, Professional services, and Technology industries, using social engineering techniques that created urgency through time-bound prompts and concerning accusations.
Pulse ID: 69f8f1230f0bda494499b941
Pulse Link: https://otx.alienvault.com/pulse/69f8f1230f0bda494499b941
Pulse Author: AlienVault
Created: 2026-05-04 19:18:59Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AdversaryInTheMiddle #AitM #CAPTCHA #CyberSecurity #Email #HTML #Healthcare #InfoSec #MultiFactorAuthentication #OTX #OpenThreatExchange #PDF #Phishing #SocialEngineering #UnitedStates #bot #AlienVault
-
Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise
A sophisticated large-scale credential theft campaign targeted over 35,000 users across 13,000 organizations, primarily in the United States, between April 14-16, 2026. Attackers distributed fully authenticated emails from legitimate services using code of conduct-themed lures with polished HTML templates. The multi-stage attack chain included PDF attachments with embedded links, multiple CAPTCHA challenges, and intermediate staging pages designed to appear legitimate while filtering automated defenses. Recipients were directed through several layers ultimately leading to an adversary-in-the-middle phishing flow that proxied authentication sessions and captured tokens, bypassing non-phishing-resistant multifactor authentication. The campaign broadly impacted Healthcare, Financial services, Professional services, and Technology industries, using social engineering techniques that created urgency through time-bound prompts and concerning accusations.
Pulse ID: 69f8f1230f0bda494499b941
Pulse Link: https://otx.alienvault.com/pulse/69f8f1230f0bda494499b941
Pulse Author: AlienVault
Created: 2026-05-04 19:18:59Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AdversaryInTheMiddle #AitM #CAPTCHA #CyberSecurity #Email #HTML #Healthcare #InfoSec #MultiFactorAuthentication #OTX #OpenThreatExchange #PDF #Phishing #SocialEngineering #UnitedStates #bot #AlienVault
-
Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise
A sophisticated large-scale credential theft campaign targeted over 35,000 users across 13,000 organizations, primarily in the United States, between April 14-16, 2026. Attackers distributed fully authenticated emails from legitimate services using code of conduct-themed lures with polished HTML templates. The multi-stage attack chain included PDF attachments with embedded links, multiple CAPTCHA challenges, and intermediate staging pages designed to appear legitimate while filtering automated defenses. Recipients were directed through several layers ultimately leading to an adversary-in-the-middle phishing flow that proxied authentication sessions and captured tokens, bypassing non-phishing-resistant multifactor authentication. The campaign broadly impacted Healthcare, Financial services, Professional services, and Technology industries, using social engineering techniques that created urgency through time-bound prompts and concerning accusations.
Pulse ID: 69f8f1230f0bda494499b941
Pulse Link: https://otx.alienvault.com/pulse/69f8f1230f0bda494499b941
Pulse Author: AlienVault
Created: 2026-05-04 19:18:59Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AdversaryInTheMiddle #AitM #CAPTCHA #CyberSecurity #Email #HTML #Healthcare #InfoSec #MultiFactorAuthentication #OTX #OpenThreatExchange #PDF #Phishing #SocialEngineering #UnitedStates #bot #AlienVault
-
Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTMtoken compromise - https://www.redpacketsecurity.com/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitmtoken-compromise/
#threatintel
#aiTM-phishing
#credential-theft
#phishing-attack
#adversary-in-the-middle
#cybersecurity-awareness -
📢⚠️ #Bluekit, a new AI-powered phishing-as-a-service kit, lets attackers bypass MFA using #AiTM attacks and stolen session cookies. With 40+ fake templates and AI tools.
Read: https://hackread.com/bluekit-phishing-kit-targets-platforms-mfa-bypass-attack/
-
📢⚠️ #Bluekit, a new AI-powered phishing-as-a-service kit, lets attackers bypass MFA using #AiTM attacks and stolen session cookies. With 40+ fake templates and AI tools.
Read: https://hackread.com/bluekit-phishing-kit-targets-platforms-mfa-bypass-attack/
-
📢⚠️ #Bluekit, a new AI-powered phishing-as-a-service kit, lets attackers bypass MFA using #AiTM attacks and stolen session cookies. With 40+ fake templates and AI tools.
Read: https://hackread.com/bluekit-phishing-kit-targets-platforms-mfa-bypass-attack/
-
📢⚠️ #Bluekit, a new AI-powered phishing-as-a-service kit, lets attackers bypass MFA using #AiTM attacks and stolen session cookies. With 40+ fake templates and AI tools.
Read: https://hackread.com/bluekit-phishing-kit-targets-platforms-mfa-bypass-attack/
-
📢⚠️ #Bluekit, a new AI-powered phishing-as-a-service kit, lets attackers bypass MFA using #AiTM attacks and stolen session cookies. With 40+ fake templates and AI tools.
Read: https://hackread.com/bluekit-phishing-kit-targets-platforms-mfa-bypass-attack/
-
@xssfox : no they're not.
IIRC client certs are bound to the TLS channel, while passkeys are bound to the domain name.
Passkeys do not protect against DNS domain takeovers or BGP hijacks (where a malicious website hijacks the domain name and obtains a valid https website certificate).
OTOH if your browser has a TLS connection to a MitM proxy such as Cloudflare or Fastly, you're dead in the water anyway.
-
HERSENLOZE ONLINE LEEFTIJDSVERIFICATIE
Angela von der Leyen in https://nos.nl/artikel/2610545-europese-commissie-wil-strengere-online-leeftijdscontrole-geen-excuses-meer:
"Het is aan ouders om hun kinderen op te voeden."
Rot dan op met je app!
Nooit genoemd bij de nadelen van dit soort junk-apps is het risico op AitM (Attacker in the Middle) aanvallen (mogelijk beperkt tot een klein tijdvenster):
🧔🏻♂️—>📜18+ bewijs📱—>🌐nepsite (of echt en bijverdienen)
🙍🏻♂️💶—>📜18+ bewijs (van🧔🏻♂️)📱—>🌐18+ site
#AitM #MitM #OnlineLeeftijdsVerificatie #OnlineAgeVerification #AgeVerification #LeeftijdsVerificatie #Privacy #DataLekken
-
Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees - https://www.redpacketsecurity.com/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees/
#threatintel
#payroll-pirate-attacks
#AiTM
#phishing-resistant-MFA
#Workday
#Canada -
Фишинг 2025–2026: от социальной инженерии к промышленным конвейерам PhaaS
Современный ландшафт киберугроз демонстрирует окончательную трансформацию фишинга из набора разрозненных мошеннических писем в зрелую сервисную индустрию, функционирующую по канонам легитимного ИТ-бизнеса. Фишинг на протяжении многих лет остается одним из наиболее востребованных способов получения первоначального доступа к корпоративной инфраструктуре, сохраняя свою эффективность вопреки массовому внедрению многофакторной аутентификации (MFA) и инвестициям в антиспам-фильтрацию.
https://habr.com/ru/companies/pt/articles/1020880/
#фишинг #mfa #phaas #парсинг #aitm #dkim #dmark #seg #ocr #вредоносное_по
-
https://www.europesays.com/britain/10074/ UK NCSC says APT28 exploits routers for DNS hijacking, enabling large-scale traffic interception #AdversaryInTheMiddle #AiTM #APT28 #AuthenticationToken #CredentialHarvesting #CyberOperations #DHCP #DNSHijacking #espionage #FancyBear #ForestBlizzard #MilitaryIntelligence #NCSC #NetworkCompromise #RouterConfigurations #routers #SednitGang #Sofacy #Strontium #TrafficInterception #UK #UnitedKingdom #vulnerabilities
-
@JDGooiker : en zet er alsjeblieft https:// voor, dus zo:
https:⧸⧸gaza.onl
alleen dan niet met ⧸⧸ (unicode) maar met // (twee gewone slashes):
Mastodon heeft de (veilige) link (URL) klikbaar gemaakt.
AANVULLENDE UITLEG
Als www. volgt op https://, wordt ook dat niet getoond. Voorbeeld:https:⧸⧸www.security.nl
Als ik ⧸⧸ vervang door // wordt dat:
Als je gaza.onl direct achter http:// (ipv https://) zet, wordt dat:
http://gaza.onl <= minder veilig, maar de lezer ziet dat niet!
Nogmaals, als je https:// gevolgd door gaza.onl intikt, wordt de link (URL) klikbaar en is deze zo veilig mogelijk:
TECHNISCH
De reden om gepubliceerde URL's (= link's) met https:// te laten beginnen is nogal technisch: URL's zonder protocolaanduiding kunnen door browsers geïnterpreteerd worden als relatief onveilige http:// URL's.Vooral als mensen gebruik maken van public WiFi (trein, restaurant of hotel) kan een http:// verbinding worden gekaapt door een ervaren aanvaller, bij een link die met https:// begint is dat zo goed als onmogelijk.
-
@adamshostack : that may depend on your audience, not everyone will be familiar with swimlanes.
In 2024 I tried to explain "The Chase Case" to Dutch people interested in infosec in https://security.nl/posting/842742 (I can't upload images there and that site is rather unfriendly for mobile browsers, so I try to restrict the width - which is often hard in case of "ASCII art swimlanes").
Note that the Dutch word "stap" means "step" and "Jan" is a very common first name for Dutch men.
English explanation in the Alt text.
Edited to add: the problem at hand is missing channel binding.
-
@Luxano and @adamshostack : this attack also more or less resembles what Terence Eden (@Edent IIRC) described in https://shkspr.mobi/blog/2024/05/bank-scammers-using-genuine-push-notifications-to-trick-their-victims/ : a Man-in-the-Middle attack targeting Chase customers.
And it's interesting to read @briankrebs 's writeup in https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-apple-users/ - thanks for sharing!
-
And Cloudflare (see Alt text), Fastly and cloud/SaaS providers have access to anything anyway. #NoQuantumComputerNeeded
-
@grammasaurus : if I understand the patent correctly, the content seen by a user in their browser will not for 100% originate from your website given its domain name.
However, Google may let their Chrome browser show your domain name in the address bar and even suggest that a server-authenticated and encrypted valid https connection is being used (proving the authenticity of your website, which is then fully broken).
Google may even force other browser makers (such as Mozilla, sponsored by Google) to do the same.
#Authenticity #Authentic #MitM #AitM #GoogleIsEvil #BigTechIsEvil #TLSisBroken #httpsIsBroken #httpsIsNoLongerE2EE #E2EE
-
Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale - https://www.redpacketsecurity.com/inside-tycoon2fa-how-a-leading-aitm-phishing-kit-operated-at-scale/
-
Resurgence of a multi‑stage AiTM phishing and BEC campaign abusing SharePoint - https://www.redpacketsecurity.com/resurgence-of-a-multi-stage-aitm-phishing-and-bec-campaign-abusing-sharepoint/
#threatintel
#AiTM phishing
#BEC
#SharePoint abuse
#MFA bypass
#Energy sector security -
Phishing actors exploit complex routing and misconfigurations to spoof domains - https://www.redpacketsecurity.com/phishing-actors-exploit-complex-routing-and-misconfigurations-to-spoof-domains/
#threatintel
#phishing
#spoofing
#AiTM
#Tycoon2FA
#email-security -
(Microsoft) myth: 99.9% of phishing is prevented by using MFA
See also (2019): https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124
-
@matv1 : ik begrijp het probleem niet. Druk gewoon zelf op zo'n shortcut-link. Zodra de browser "tot stilstand is gekomen" op de bedoelde website, kopieer je de link uit de adresbalk van jouw browser (mocht jouw browser nog steeds niet de echte link laten zien, dan ben je wel heel stom bezig door zelf zo'n browser te gebruiken).
Daarnaast wordt het verwijderen van mogelijk aanwezige tracking-gegevens aan de achterkant van de URL zeer op prijs gesteld (test zelf of de "geschoonde" URL nog werkt voordat je deze opneemt in een toot).
Zie ook https://todon.nl/@ErikvanStraten/115691692521844486.
-
A five-month spearphishing operation discovered by Socket has transformed the npm registry into a durable hosting layer for AiTM credential theft, specifically targeting sales teams in the manufacturing and healthcare industries.
#SecurityLand #Cybersecurity #Research #NPM #Phishing #CriticalInfrastructure #AiTM #Spearphishing #Dev
-
@pake_preacher : I forgot the details of PAKE and SRP, but in the end the most secure client authentication requires:
1️⃣ Strong, long term, human comprehensible, *serving endpoint* authentication;
*AND*
2️⃣ TLS channel binding (enforcing known endpoints).(Apart from those, both serving endpoint AND client MUST be trustworthy).
🚨 The -corrupt- CA/B forum breaks 1️⃣ by:
a) Advocating anonymous Domain Validated certificates, which render secure account creation IMPOSSIBLE;
b) Continuously decreasing certificate lifetime.🚨 Furthermore, "legitimate" MitM's * break 2️⃣.
* Man in the Middle, like on-device virusscanners and firewalls that "open" TLS tunnels (both requiring installation of a dedicated root certificate) and proxies such as (definitely not limited to) Cloudflare and Fastly.
😱 Passkeys enforce NEITHER 1️⃣ NOR 2️⃣.
😱😱 Worse, because passkeys (or FIDO2 hardware keys) can be easily irretrievably "lost", servers typically provide WAY EASIER phishable authentication methods (such as "rescue codes").
#AitM #MitM #SecureOnlineAuthIsHARD #SecureAuthentication #OnlineAuthentication #Authentication #Impersonation #ChannelBinding #TLSchannelBinding #UTM #TLS #TLSinterception #TLSscanning #Proxy #Proxies #GoogleIsEvil #CloudflareIsEvil
-
@pake_preacher : I forgot the details of PAKE and SRP, but in the end the most secure client authentication requires:
1️⃣ Strong, long term, human comprehensible, *serving endpoint* authentication;
*AND*
2️⃣ TLS channel binding (enforcing known endpoints).(Apart from those, both serving endpoint AND client MUST be trustworthy).
🚨 The -corrupt- CA/B forum breaks 1️⃣ by:
a) Advocating anonymous Domain Validated certificates, which render secure account creation IMPOSSIBLE;
b) Continuously decreasing certificate lifetime.🚨 Furthermore, "legitimate" MitM's * break 2️⃣.
* Man in the Middle, like on-device virusscanners and firewalls that "open" TLS tunnels (both requiring installation of a dedicated root certificate) and proxies such as (definitely not limited to) Cloudflare and Fastly.
😱 Passkeys enforce NEITHER 1️⃣ NOR 2️⃣.
😱😱 Worse, because passkeys (or FIDO2 hardware keys) can be easily irretrievably "lost", servers typically provide WAY EASIER phishable authentication methods (such as "rescue codes").
#AitM #MitM #SecureOnlineAuthIsHARD #SecureAuthentication #OnlineAuthentication #Authentication #Impersonation #ChannelBinding #TLSchannelBinding #UTM #TLS #TLSinterception #TLSscanning #Proxy #Proxies #GoogleIsEvil #CloudflareIsEvil
-
Don’t let MFA lull you into complacency. Advanced phishing kits can still slip through.
Before the Thanksgiving holiday, one of our customers alerted us to an Evilginx MITM phishing campaign targeting university students and SSO portals. At least 18 American institutions were targeted.
We tested several approaches for large-scale detection, including analyzing web server fingerprints and HTTP artifacts. However, this proved challenging because Evilginx operates as a proxy between the victim’s browser and the legitimate login page, making its behavior and content nearly indistinguishable from the real site. In the end, we mostly relied on DNS for confirmation and classification.
Here is a short blog about the campaign and actor, including involved domains and IPs.
https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/
#InfobloxThreatIntel #dns #evilginx #threatintel #threatintelligence #infosec #cybersecurity #cybercrime #infoblox #phishing #mitm #aitm #sso #mfa #university #students #proxy #login
-
@BleepingComputer : when using untrustworthy networks, use a browser that supports "warn for insecure connections" - and enable it (my advice: do both anyway).
Note that it is near-impossible to redirect an https connection without a certificate error - until said connection has been successfully set up. After that happens, only the target website can redirect the browser.
• Firefox uses a stupid name: "HTTPS-only". That's misleading because it only means that you'll be warned for insecure http connections (which can be enforced and hijacked by an evil twin, when not demanding https).
• Chrome on Android is stupid too: "Always use secure connections" (default: off). Also we'll have to wait one more year for this to become the default: https://security.googleblog.com/2025/10/https-by-default.html.
• Safari on iOS/iPadOS: "Not Secure Connection Warning" (also off by default).
To test: open http://http.badssl.com - your browser should warn you (instead of showing the web page), but allow you to use http.
Important: most browsers will *remember* your choice to allow an insecure connection to a specific website (based on the domain name). The criteria to "forget" such an exception vary per browser.
#AitM #MitM #EvilTwin #HTTPSonly #InsecureConnectionWarning #Firefox #Chrome #Safari
-
VoidProxy phishing-as-a-service bypasses MFA & SSO for Microsoft 365/Google accounts. Okta Threat Intelligence reveals sophisticated AitM attacks defeating modern authentication. Enterprise security teams: reassess your defenses NOW.
#SecurityLand #ThreatHorizon #CyberSecurity #PhishingAttack #EnterpriseSecurity #AitM #Phishing #VoidProxy
-
New VoidProxy Phishing Service Bypasses MFA on Microsoft and Google Accounts https://hackread.com/voidproxy-phishing-service-bypasses-mfa-microsoft-google/ #Cybersecurity #PhishingScam #CyberAttack #Microsoft #VoidProxy #Security #Phishing #security #Google #PhaaS #AitM #Okta #MFA
-
New downgrade attack can bypass FIDO auth in Microsoft Entra ID
https://www.bleepingcomputer.com/news/security/new-downgrade-attack-can-bypass-fido-auth-in-microsoft-entra-id/
#ycombinator #computers #windows #linux #mac #support #tech_support #spyware #malware #virus #security #Account_Takeover #AiTM #FIDO #Microsoft_Entra_ID #Phishing #Session #virus_removal #malware_removal #computer_help #technical_support -
Chinese APT’s Adversary-in-the-Middle Tool Dissected https://www.securityweek.com/chinese-apts-adversary-in-the-middle-tool-dissected/ #Malware&Threats #TheWizards #malware #China #AitM
-
Chinese APT’s Adversary-in-the-Middle Tool Dissected https://www.securityweek.com/chinese-apts-adversary-in-the-middle-tool-dissected/ #Malware&Threats #TheWizards #malware #China #AitM
-
China-linked hackers are turning IPv6’s auto-configuration into their secret weapon—hijacking software updates with fake router messages. Curious how these digital “wizards” pull off such sophisticated attacks?
https://thedefendopsdiaries.com/unveiling-the-threat-how-the-wizards-exploit-ipv6-for-cyber-attacks/
