Bluekit Phishing Kit Leverages BIM Attacks to Bypass Security

Post Views: 10

A newly identified phishing-as-a-service (PHaaS) platform named Bluekit has emerged as a sophisticated tool for credential theft, employing advanced evasion techniques to avoid detection.

Phishing Mechanism: Browser-in-the-Middle (BitM) Tactics

Bluekit executes a process where the genuine login interface—such as a Microsoft authentication page—is embedded within a browser controlled by attackers. This approach utilizes an open-source tool called rrweb to capture and transmit real-time Document Object Model (DOM) interactions to the victim via a WebSocket connection.

Unlike static screenshots or video streams, this method presents a fully functional login page to the user, creating the illusion of a legitimate session. When victims enter their credentials or interact with the page, these actions are directly routed to the attacker’s browser.

According to Netcraft’s analysis, Bluekit employs a pre-engagement phase to differentiate between automated scanners and human users.

Multi-Layered Evasion Strategy to Bypass Security Tools

Pre-Engagement Bot Detection Checks

This involves executing over 20 bot detection checks, including evaluations of system parameters such as RAM capacity, screen resolution, and browser language settings.

WebRTC and STUN Server Verification

WebRTC technology is leveraged to connect to a STUN server, enabling the platform to verify user configurations. This capability allows attackers to identify whether a visitor is using a proxy, virtual private network (VPN), or other anonymization tools.

Advantages Over Traditional Phishing Frameworks

Seamless User Experience and Browser Fingerprint Consistency

Researchers noted that the user experience remains seamless, with only minor delays in mouse input serving as potential indicators of the attack. Bluekit mitigates risks by initiating the session entirely on the attacker’s machine, ensuring consistency in browser fingerprints.

As Bluekit becomes more prevalent, cybersecurity professionals emphasize the importance of heightened vigilance. Users are advised to scrutinize login pages even when they appear authentic, as the platform’s sophisticated techniques can bypass conventional security measures.

“The evolution of such tools underscores the need for continuous monitoring and adaptive defense strategies to counter emerging threats,” said researchers.