New email account warning
For the billions logging into Gmail and Outlook accounts daily, as well as other major email platforms including AOL and Yahoo, there’s a dangerous new attack to worry about. If you think 2FA always keeps you safe, think again. This attack “bypasses two-factor authentication through session hijacking and real-time credential interception.” The dangerous sign-in page you need to avoid is shown below.
The warning comes courtesy of SlashNext, which has just published a report into a new phishing kit dubbed Astaroth. On an infected device, this deploys a man-in-the-middle attack between user and legitimate account sign-in page, “capturing login credentials, tokens, and session cookies in real time, effectively bypassing 2FA.”
This kit was first advertised last month, and “distinguishes itself by not only intercepting login credentials but also by rapidly capturing 2FA authentication tokens and session cookies as they are generated.” The reason this is so dangerous is that its “real-time interception, enabled by a reverse proxy mechanism, allows attackers to bypass 2FA defenses with remarkable speed and precision.”
As ever, it all starts with a link and a click. Which means it’s completely avoidable if you follow the basic guidelines around not clicking links in emails, messages or on social media posts. This link will redirect you to a malicious server “which mirrors the target domain’s appearance and functionality while relaying traffic between the victim and the legitimate login page.” If you select Google, that’s the sign-in page you’re served.
Typical attack popup
You will see no security warnings and will assume you’re on the legitimate website, the MITM attack intercepts your data and feeds the real webpage behind the scenes. “The user agent and IP address allow attackers to replicate the victim’s session environment and reduce detection risks during login.”
Dangerous sign-in page and attacker’s panel
The sense of security you will take from 2FA is completely undermined by this attack. “Because 2FA is always involved (e.g., via SMS codes, authenticator apps, or push notifications), Astaroth automatically captures the entry of the 2FA token in real time. It also ensures that any token entered by the victim is intercepted immediately—the attacker is instantly alerted through a web panel interface and Telegram notifications.”
2FA has other issues, which is why passkeys are catching on so quickly. But this attack also steals session cookies from your browser, which can replicate your authorized session on an attacker’s device. While there are updates in place to tackle such session cookie theft, it remains a huge issue.
This phishing kit in inexpensive and now available. “For $2,000, users receive six months of continuous updates, gaining access to the latest improvements and bypass techniques. To build trust, Astaroth offers testing before purchase, showcasing its legitimacy on cybercrime marketplaces.”
Remember, while many phishing lures remain rudimentary, AI is fast changing this and they will become harder to detect. The advice is clearcut. Do not click links that direct you to sign-in pages for the platforms you use. Only access accounts through usual login methods, if you need to revalidate, navigate to a sign-in page through usual channels, never through a link unless it’s one you’ve just requested from a usual channel.
