Experts Demonstrate How to Detect Phishing MitM Sites by Network Fingerprint

Researchers have developed an AI-based method that can accurately identify the presence of a phishing site operating as a man-in-the-middle (MitM) between a target service and its users. These threats are typically hard to detect and rarely make it onto blocklists.

How the Research Was Conducted

A joint team from Stony Brook University (New York) and Palo Alto Networks studied 13 popular MitM phishing kits. Demand for these advanced toolkits, often distributed as ZIP files, has been growing. Unlike standard phishing kits, they allow attackers to steal credentials in real time from user requests to the target service.

In a MitM attack scenario, a fake mirror site is placed between the user and the legitimate service, intercepting traffic and extracting valuable information from network packets. As a result, attackers can obtain not only usernames and passwords but also session cookies, and even bypass two-factor authentication (2FA).

Why These Attacks Are Hard to Detect

With such a proxy, the authenticity of phishing pages is less important: the illusion for the victim is maintained by allowing them to browse other pages of the fake site after authentication. The original service is unlikely to notice the substitution.

These fake sites tend to last longer: the study found that only 43.7% of domains and 18.9% of IP addresses associated with MitM phishing end up on blocklists. According to the authors, their proposed method eliminates this blind spot and increases detection accuracy to 99.9%.

The Detection Method

To uncover well-hidden fakes, the researchers created a self-learning classifier that analyzes network data—specifically, TLS fingerprints and the timing of request transmission and reception. Sample collection was automated using their own tool, PHOCA, which searched for relevant information in phishing databases like OpenPhish and PhishTank.

The main detection criterion was latency: using a proxy server (in this case, with a MitM phishing kit) slows down the process of sending and confirming requests. When intercepting TLS requests, deviations from the norm become even more noticeable.

Key Findings

Over the course of a year, the researchers identified 1,220 sites created for MitM phishing—mainly in the US and Europe, hosted on Amazon, DigitalOcean, Microsoft, or Google. The fake sites most often imitated Instagram, Google, Facebook, Microsoft Outlook, PayPal, Apple, Twitter, Coinbase, Yahoo, and LinkedIn. Analysis of 260 such traps showed that over six months, they received 6,403 user requests.

PHOCA Framework and Its Applications

According to the researchers, the PHOCA framework can be easily integrated into existing infrastructure. For example, it can enhance the capabilities of web service blocklists or protect popular sites from malicious requests generated by phishing MitM kits. Testing showed that this method can bypass masking techniques used by such toolkits and effectively detect previously hidden phishing content.