A cyber warfare expert has revealed how to avoid a vicious online scam targeting all 1.8 billion Gmail accounts.
Hackers are using a new tool called Astaroth that steals a victim’s web security details in real-time, fooling the target into thinking they’ve logged into their accounts normally by sending them to a phony webpage which looks just like their browser.
James Knight, who has 25 years of experience in the field of digital security, told DailyMail.com that people need to have a spam filter active on their accounts to block these phishing emails.
‘If these emails are received, people should be very careful what they open and the links they click on. Remember, just because it looks like a Gmail or Office login, doesn’t mean it is,’ Knight warned.
Knight is a pen tester, someone who specializes in breaking through a company’s digital defenses in order to gauge how prepared his clients are for real hacking attempts.
He recently used cybercrime tools like Astaroth on clients ‘to test their employee’s security awareness, and the technical security safeguards, and we find it very effective.’
The cyber warfare guru says Astaroth can even help hackers impersonate their victims, sending devastating emails from their accounts.
‘We just did an attack whereby we got into a CEO’s emails, which we then leveraged for sending further emails to employees from this account. These attacks can be deadly for a company,’ Knight explained.
The new phishing tool Astaroth is giving hackers the ability to defeat your email’s two-factor authentication with disturbing speed
Astaroth allows hackers to fool victims into thinking they’re using their normal browser, but it’s really a fake
Astaroth, which is now for sale on the dark web, can defeat two-factor authentication (2FA) to take over accounts.
Two-factor authentication (a form of multi-factor authentication) is supposed to add an extra layer of protection for your private online accounts, typically by sending an access code to the legitimate user’s phone or email.
However, this phishing kit steals these forms of identification in real-time, fooling the victim into thinking they logged into their accounts normally by sending them to a phony browser page on a ‘reverse proxy’ server.
Hackers using Astaroth can gain access to usernames, passwords, credit card numbers, bank information, and other important data once the victim logs into their accounts through these phony pages.
Until now, most phishing tools relied on sending emails with suspicious links that took victims to fake login pages, capturing their main usernames and passwords.
This meant 2FA could still keep email users safe by requesting they verify that it was really them logging into their accounts.
However, Astaroth acts like a middle man for hackers, capturing login credentials (usernames and passwords), tokens (2FA codes), and session cookies (web browser files) in real time.
All this effectively bypasses any form of multi-factor authentication (MFA) on your accounts.
‘Astaroth in particular is of note because it comes with support and updates,’ Knight said. ‘These updates are essential because Google, Microsoft, etc. put a lot of work in protecting against these attacks.’
Cyber warfare expert James Knight says this type of phishing scheme ‘can be deadly for a company,’ targeting CEOs and stealing their email accounts
The seller of Astaroth is reportedly selling the new phishing kit on the dark web for $2,000 and can send it to buyers on the app Telegram
As Knight noted, the dark web seller of Astaroth is reportedly offering six months of updates for this malicious software – all for $2,000, delivered anonymously through the app Telegram.
‘Similar phishing techniques and tools that utilize a reverse proxy to steal login information, the MFA code, and the session cookie have been out for years,’ Knight explained.
‘The ones that proxy the connection between the user and the email service are the most dangerous as they give persistent access, even if the user has setup security features such as MFA.’
According to technology company SlashNext, anyone using services like Gmail, Yahoo, AOL, and Microsoft Outlook could be vulnerable to these attacks.
Knight added that both Microsoft and Google have been working on defending their users against this latest phishing scheme, but one of the companies may be lagging behind.
The cybersecurity expert for DigitalWarfare.com said, ‘Microsoft has done the most work in protecting against this type of attack and it’s a fast game of cat and mouse. Google with Gmail has done some work on this but not to the same extent.’
How exactly does Astaroth work?
Victims set off Astaroth by clicking on a suspicious URL, typically sent in spam or deceptively-worded emails.
The link sends the victim to a reverse proxy server the hacker is using instead of their actually web browser.
The malicious server sits ‘in front’ of the user’s legitimate server, app, or cloud service and forwards all the victim’s web browser requests to the hacker.
For cybercriminals, this allows them to monitor and capture everything the victim wants to send to their normal browser.
The rogue server mimics the target domain’s appearance while continuing to send traffic between the victim and the legitimate login page.
Simply put, if you’re on Gmail, Astaroth puts up a phony Gmail login screen for the victim to use, allowing the hacker to copy their private information down before passing it on to the real Gmail.
According to the FBI, phishing schemes were the most frequently reported form of internet crime in 2023.
Federal officials said that over 298,000 complaints were filed about phishing schemes that year, accounting for roughly one-third of all cyber crimes in 2023.
