09-05, 13:30–14:00 (Europe/Amsterdam), Main track
Protecting Hundreds of Organizations Against AiTM: Lessons Learned" dives into the evolving threat of AiTM) attacks. Our presentation highlights the transition from basic phishing tactics to sophisticated methods that compromise organizational security. The presentation outlines the journey from oldschool phishing attacks, to phishing framework like UADMIN, and the introduction of tools like Evilginx. And now the SaaS providers allowing anyone to buy access to an AiTM platform.
We’ve introduced a free method of detecting AiTM attacks. Which has allowed us an insight into the scale of AiTM attacks atleast against Microsoft M365 tenants. This prompted the development of a fingerprinting tool to gain an insight into the different actors performing these attacks and typical methods they employ.
We give an insight into a popular AiTM SaaS platform and the revenue stream hosting such software creates. The session ends by outlining common techniques to prevent these types of attacks. Most organizations use M365 and experience attacks using AITM to bypass MFA. At the same time SaaS providers are building AITM services that allow targeteted attacks allowing for supply chain attacks (AITM targeted against admin sites for: pypi, npmjs and rubygems). At the same time used for very specific scams for example against booking.com. Attackers use the booking.com hotel login to extract creditcard information for upcomming hotel guests.
There’s been an uprising in the amount of AITM based attacks. BEC fraud operators use it as MFA is more and more common. But the apearance of SaaS providers in the AITM space make these attacks easier to perform and therefore making them more common. Booking.com has been a popular target allowing attackers to use the hotel operator login to phish creditcards by sending upcomming guests reminders to pay. The fact that these reminders are sent via the booking.com app makes them super trustworthy. At the same time environments such as M365/EntraID are popular targets for other operators. This past year we’ve been trying to prevent and detect these types of attacks. The goal of the presentation is make attendees aware of the risks, the different operators and types of attacks happening today.
Rik has over 10 years of experience in offensive security area working as a penetration tester. Next to his work assessing the security of infrastructures, he spends time researching trends within IT security and on developing defensive measures.
