Bright Nexus

Published on June 26, 2026

Bluekit phishing kit adopts browser-in-the-middle for login theft

Severity

Medium 

Detail

Security researchers have identified a phishing-as-a-service kit known as BlueKit, which uses a “browser-in-the-middle” (BITM) technique to steal user credentials and session data in real time. Unlike traditional phishing pages that simply collect usernames and passwords, BlueKit acts as a live intermediary between the victim and the legitimate login page. This allows attackers to intercept not only credentials but also multi-factor authentication (MFA) tokens and active session cookies. The kit is being used to target login portals of widely used online services, increasing the risk of account takeover even when MFA is enabled.

How?

BlueKit operates by positioning an attacker-controlled proxy server between the victim’s browser and the real authentication website. When a user clicks a phishing link, they are routed through this proxy, which then forwards requests to the legitimate site while relaying responses back to the victim in real time.

Because the victim is interacting with the real service through the proxy, everything appears legitimate, including SSL/TLS indicators and correct login pages. When the user enters credentials and completes MFA, BlueKit captures the authentication flow and extracts session cookies or tokens after login is completed.

These stolen session tokens are especially dangerous because they can be replayed by attackers to bypass login entirely, effectively granting access without needing passwords or MFA again. This makes BITM phishing significantly more effective than static credential-harvesting pages.

Recommendation

Use phishing-resistant MFA methods such as FIDO2 security keys instead of SMS or OTP-based authentication

  • Verify URLs carefully before entering credentials, especially for login pages
  • Monitor and restrict session lifetimes where possible to reduce replay risk
  • Enable conditional access policies (device, location, and risk-based authentication) in enterprise environments
  • Educate users on phishing techniques that mimic real login flows, including reverse-proxy attacks
  • Avoid logging into sensitive accounts over links received via email or messaging apps

Source

https://www.bleepingcomputer.com/news/security/bluekit-phishing-kit-adopts-browser-in-the-middle-for-login-theft/