Press play to start listening
A new phishing-as-a-service (PHaaS) platform called Bluekit is letting cybercriminals steal user accounts using a tricky method. While Varonis Threat Labs first spotted and reported the platform earlier this year, it appeared to be in development at that time.
New data shows it is now fully active on a large scale. Cybersecurity firm Netcraft has reported this sudden rise, discovering around 70 active website names using the system in just one week.
How the Scam Works
Typical scams usually trick people by copying a website page or passing internet data back and forth. Bluekit changes this approach by using an attack method called Browser-in-the-Middle (BitM).
According to Netcraft researchers, the system loads the real login page, like a Microsoft login, inside a browser that the hackers control. An open-source software tool called rrweb then “records and streams live DOM interactions” to the victim over a WebSocket connection, researchers explained.
Further investigation revealed that the victim sees a real, working page instead of a simple picture or video stream. When the target types their details or clicks on buttons, those actions go right into the hacker’s browser. The victim thinks they are logging in normally, but they are actually opening their account inside the hacker’s computer.
Passing the Security Tests
Before showing the fake login page, the system runs a series of tests to block security tools. Netcraft’s research, shared exclusively with Hackread.com, highlighted that Bluekit uses a “layered evasion architecture designed to prevent automated detection” from safety systems.
“Bluekit operates in two distinct phases: a pre-engagement evasion phase designed to distinguish human victims from automated scanners, and a delivery phase in which the BitM technique is executed,” the blog post reads.
The attack sequence shows that when a victim loads the scam link, the system runs more than 20 bot checks. It looks at computer details like RAM, screen size, and browser language. Using WebRTC technology, it connects to a STUN server to check a user’s web settings.
Now, the hackers can see if a visitor is using a proxy or a VPN to hide their identity, and if it is a real person, a fake safety check page or CAPTCHA appears that often copies big names like Cloudflare to trick the user.
Why This Tool Differs
Hackers love this new setup because it helps them bypass extra security steps. With older tools like Evilginx, stealing an active session and moving it to a new computer could trigger a safety alarm due to a mismatch in browser details.
With Bluekit, the session starts on the hacker’s machine from the very beginning. This means the browser details never change, making it much harder for security systems to spot the trick. Researchers noted that the tool creates a very smooth experience for the victim with no bad quality issues, though a slight lag in mouse clicks might be the only giveaway. Since this platform is now fully live, users must remain cautious even when a login page looks completely genuine.
