Bluekit Phishing-as-a-Service Platform Operational at Scale

The Bluekit phishing-as-a-service platform has been confirmed operational, with approximately 70 new hostnames detected in the last week. This platform employs a sophisticated browser-in-the-middle (BitM) technique, allowing attackers to capture login credentials by streaming a legitimate login page to victims through an attacker-controlled browser. First documented by Varonis Threat Labs, Bluekit has evolved to include features such as an AI assistant for drafting phishing emails and a comprehensive victim qualification system to distinguish real targets from automated scanners. The platform utilizes the open-source library rrweb for session replay, making it harder to detect. Anti-analysis measures include dynamic JavaScript obfuscation and custom CAPTCHA implementations. The ability to bypass multi-factor authentication (MFA) significantly increases the threat level posed by Bluekit. Organizations are urged to be vigilant against this evolving threat.

Key Points: • Bluekit detected with 70 new hostnames in one week, indicating rapid deployment. • Utilizes browser-in-the-middle technique to capture login credentials in real-time. • Employs advanced evasion tactics, including dynamic obfuscation and custom CAPTCHAs.