Sneaky 2FA Phishing Kit
Cybersecurity researchers have uncovered a sophisticated Adversary-in-the-Middle (AitM) phishing kit, dubbed Sneaky 2FA, that has been actively targeting Microsoft 365 accounts since at least October 2024. This kit is engineered to intercept credentials and Two-Factor Authentication (2FA) codes, offering threat actors a powerful tool for account compromise.
Table of Contents
Widespread Adoption and Features of Sneaky 2FA
Nearly 100 domains hosting Sneaky 2FA phishing pages have been identified, signaling moderate adoption among cybercriminals. Sold as Phishing-as-a-Service (PhaaS) by a group called Sneaky Log, this kit is distributed through a feature-rich Telegram bot. Customers receive an obfuscated version of the source code, allowing them to deploy it independently.
Phishing Campaigns Targeting Victims
Campaigns leveraging Sneaky 2FA have been observed sending fake payment receipt emails containing PDF attachments. These PDFs include QR codes that, when scanned, redirect victims to phishing pages designed to mimic Microsoft 365 login portals. These pages are hosted on compromised infrastructure, often involving WordPress websites, and automatically populate victims' email addresses to increase legitimacy.
Robust Evasion and Anti-Analysis Tactics
Sneaky 2FA employs advanced anti-bot and anti-analysis techniques. It filters traffic and uses Cloudflare Turnstile challenges to restrict access to its credential harvesting pages. The kit also runs checks to detect and resist scrutiny through web browser developer tools. Visitors from data centers, proxies, or VPNs are redirected to a Microsoft-related Wikipedia page via the href.li service, earning the kit the nickname WikiKit from TRAC Labs.
Deceptive Visuals to Mislead Users
To enhance its authenticity, Sneaky 2FA incorporates blurred images of legitimate Microsoft interfaces as backgrounds on its fake login pages. This tactic aims to deceive users into entering their credentials under the impression they are accessing genuine Microsoft content.
Licensing and Links to W3LL Store
The Sneaky 2FA kit requires an active subscription to function, with a license key verification conducted through a central server. The service is advertised at $200 per month, offering exclusive access to its features. Investigations have also revealed connections to the W3LL Store, a phishing syndicate previously linked to the W3LL Panel and tools used in business email compromise (BEC) attacks. While Sneaky 2FA shares some code and techniques with the W3LL Panel, researchers believe it is not a direct successor.
A History of Code Reuse and Migration
Interestingly, parts of Sneaky 2FA's codebase appear to be borrowed from W3LL OV6, with deobfuscated versions of the latter circulating among cybercriminals in recent years. Some Sneaky 2FA domains were previously associated with AitM kits like Evilginx2 and Greatness, suggesting a shift among some attackers toward adopting the new service.
Unusual User-Agent Behavior: A Red Flag
One of Sneaky 2FA's most distinctive traits is its use of different hardcoded User-Agent strings during the authentication process. While such transitions may occur in legitimate scenarios (e.g., switching between desktop apps and web browsers), the specific sequence used by Sneaky 2FA is highly irregular. This anomaly provides a reliable means for detecting the kit in action.
Conclusion: A Growing Threat in the Cybercrime Landscape
Sneaky 2FA represents an evolution in phishing tools, combining advanced evasion tactics, user deception, and a PhaaS model to cater to cybercriminals. Its adoption highlights the ever-changing nature of online threats and the seriousness of staying vigilant against sophisticated phishing campaigns.