AiTM: Lessons Learned (hackerhotel2025) episode artwork

EPISODE · Feb 15, 2025 · 39 MIN

AiTM: Lessons Learned (hackerhotel2025)

from Chaos Computer Club - archive feed · host Rik van Duijn, Wesley Neelen

"AiTM: Lessons Learned" dives into the evolving threat of AiTM attacks. Our presentation highlights the transition from basic phishing tactics to sophisticated methods that compromise organizational security. The presentation outlines the journey from oldschool phishing attacks, to phishing framework like UADMIN, and the introduction of tools like Evilginx. And now the SaaS providers allowing anyone to buy access to an AiTM platform. We give an insight into a popular AiTM SaaS platform and the revenue stream hosting such software creates. The session ends by outlining common techniques to prevent these types of attacks. Most organizations use M365 and experience attacks using AITM to bypass MFA. At the same time SaaS providers are building AITM services that allow targeteted attacks allowing for supply chain attacks (AITM targeted against admin sites for: pypi, npmjs and rubygems). At the same time used for very specific scams for example against booking.com. Attackers use the booking.com hotel login to extract creditcard information for upcomming hotel guests. There's been an uprising in the amount of AITM based attacks. BEC fraud operators use it as MFA is more and more common. But the apearance of SaaS providers in the AITM space make these attacks easier to perform and therefore making them more common. Booking.com has been a popular target allowing attackers to use the hotel operator login to phish creditcards by sending upcomming guests reminders to pay. The fact that these reminders are sent via the booking.com app makes them super trustworthy. At the same time environments such as M365/EntraID are popular targets for other operators. This past year we've been trying to prevent and detect these types of attacks. The goal of the presentation is make attendees aware of the risks, the different operators and types of attacks happening today. outline: 1) What is AiTM/BITB 1.1) Phishing history 1.2) Old school phish 1.3) Introduction of commong framework (UADMIN, opwelk, haiku) 1.4) Evilginx 1.5) AiTM SaaS providers 2) How to detect phishes 2.1) The concept 2.2) What we have built - didsomeoneclone.me 2.3) Then came the Microsoft idea 2.4) Gaining insight into the amount of phishes 3) Fingerprint tool 3.1) The goal 3.2) How does it work? 3.3) Adding certificate transparency to preempt attacks 3.4) Outcome and statistics 4) What we see 4.1) How often does it actually occur? 4.2) Different actors. Example.com. Evilginx Rick Roll, MSPHP 4.3) Microsoft sandbox also visits the URLs and they come in 4.4) How quickly is Evilginx taken down 5) actors 5.1) various offers 5.2) actor revenue 6) Future work 6.1) automatically finding victims in our EDR tooling 6.2) Attempts at improvement - CSS exfil. 6.3) Roadmap Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/WYLJK3/

Episode metadata supplied by the publisher feed · Published Feb 15, 2025

"AiTM: Lessons Learned" dives into the evolving threat of AiTM attacks. Our presentation highlights the transition from basic phishing tactics to sophisticated methods that compromise organizational security. The presentation outlines the journey from oldschool phishing attacks, to phishing framework like UADMIN, and the introduction of tools like Evilginx. And now the SaaS providers allowing anyone to buy access to an AiTM platform. We give an insight into a popular AiTM SaaS platform and the revenue stream hosting such software creates. The session ends by outlining common techniques to prevent these types of attacks. Most organizations use M365 and experience attacks using AITM to bypass MFA. At the same time SaaS providers are building AITM services that allow targeteted attacks allowing for supply chain attacks (AITM targeted against admin sites for: pypi, npmjs and rubygems). At the same time used for very specific scams for example against booking.com. Attackers use the booking.com hotel login to extract creditcard information for upcomming hotel guests. There's been an uprising in the amount of AITM based attacks. BEC fraud operators use it as MFA is more and more common. But the apearance of SaaS providers in the AITM space make these attacks easier to perform and therefore making them more common. Booking.com has been a popular target allowing attackers to use the hotel operator login to phish creditcards by sending upcomming guests reminders to pay. The fact that these reminders are sent via the booking.com app makes them super trustworthy. At the same time environments such as M365/EntraID are popular targets for other operators. This past year we've been trying to prevent and detect these types of attacks. The goal of the presentation is make attendees aware of the risks, the different operators and types of attacks happening today. outline: 1) What is AiTM/BITB 1.1) Phishing history 1.2) Old school phish 1.3) Introduction of commong framework (UADMIN, opwelk, haiku) 1.4) Evilginx 1.5) AiTM SaaS providers 2) How to detect phishes 2.1) The concept 2.2) What we have built - didsomeoneclone.me 2.3) Then came the Microsoft idea 2.4) Gaining insight into the amount of phishes 3) Fingerprint tool 3.1) The goal 3.2) How does it work? 3.3) Adding certificate transparency to preempt attacks 3.4) Outcome and statistics 4) What we see 4.1) How often does it actually occur? 4.2) Different actors. Example.com. Evilginx Rick Roll, MSPHP 4.3) Microsoft sandbox also visits the URLs and they come in 4.4) How quickly is Evilginx taken down 5) actors 5.1) various offers 5.2) actor revenue 6) Future work 6.1) automatically finding victims in our EDR tooling 6.2) Attempts at improvement - CSS exfil. 6.3) Roadmap Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/WYLJK3/

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

AiTM: Lessons Learned (hackerhotel2025)

0:00 39:35

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

LIGHTS, CAMERA, SMILE! Creatives Club Media Lights, Camera, Smile, is a podcast for anyone with a dream to share something with the world, out of the overflow of themselves - be it their mind, their heart, their personalities, and much more. Each of us are alive in this moment in time, with an innate ability to have ideas and create various things to benefit both ourselves and the people around us for a reason, and here, you will find the encouragement, the inspiration, and the motivation to do just that. Hosted by Cicily, founder of Creatives Club, she dives into various topics surrounding creativity and business. Exploring entrepreneurship for creatives in a corporate reality, sharing tips and tricks in a media centered company, answering questions regarding what a creative actually is are just a few of the things discussed on this podcast. Be encouraged to create for yourself as Cicily gets vulnerable by pivoting the camera to herself for the first time.To submit questions for Cicily to answer, or have her address certain t The PFN Cincinnati Bengals Podcast Pro Football Network The PFN Cincinnati Bengals Podcast is where you can stay up-to-date with the latest news and analysis on the Cincinnati Bengals! Our hosts, industry experts Jay Morrison and Dallas Robinson, provide weekly coverage of all the latest rumors and updates about the Bengals. Don’t forget to follow the show to receive new episodes directly in your podcast feed and leave a rating and review to let us know your thoughts. Piramidi Club The Bitcoin Butcher La Migliore Pizza di Firenze Blue Light News Archive Blue Light News is an innovative new Internet radio show devoted to covering the news of Unicoi County in a unique and interesting way.

Frequently Asked Questions

How long is this episode of Chaos Computer Club - archive feed?

This episode is 39 minutes long.

When was this Chaos Computer Club - archive feed episode published?

This episode was published on February 15, 2025.

What is this episode about?

"AiTM: Lessons Learned" dives into the evolving threat of AiTM attacks. Our presentation highlights the transition from basic phishing tactics to sophisticated methods that compromise organizational security. The presentation outlines the journey...

Can I download this Chaos Computer Club - archive feed episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!