Skip to main content
Cybersecurity

How researchers accidentally found a large-scale threat platform

The attack leverages malicious domains that mimic actual hospitality and commerce websites.

3 min read

TOPICS: Cybersecurity / Security Fundamentals / Threat Landscape

Researchers at cybersecurity company NCC Group discovered a cutting-edge adversary-in-the-middle (AiTM) attack—and they did so by complete accident.

Dubbed “Kitana,” this AiTM platform draws in victims to a fraudulent website using standard-issue URL squatting domains and malicious advertising, then tricks them into inputting sensitive information, including passwords and payment details, according to NCC Group’s Cyber Threat Intelligence report.

Unlike more traditional attacks that often involve compromising a legitimate website to steal consumer info, though, Kitana leverages malicious domains that mimic actual hospitality and commerce websites. The attackers can then monitor victims’ activities on these fake sites in real time, stealing whatever’s inputted.

Dillon Ashmore, tactical threat intelligence analyst at NCC Group, told IT Brew that “real-time interception gives [attackers] that complete control about setting how much information they need.”

NCC Group discovered Kitana during an unrelated probe of an IP address formerly associated with TeamPCP and its supply-chain compromise. The team saw the site display a login screen for a “nondescript tool” called Kitana Project.

“Initially…I was a little confused, because Kitana wouldn’t be something I’d seen before,” Ashmore said. “I try to stay up-to-date as best as I can, so when I see something I don’t know about, it makes me stop, and I try to drop everything if I can, and figure out what it is exactly.”

Ashmore went looking for reports about Kitana online and within NCC Group’s Open-Source Intelligence (OSINT) group. After hunting for shared characteristics like common certificate data, hosting patterns, and response behavior, the team identified 22 IP addresses that contained the same login panel.

From April to the end of May into June, Ashmore said, Kitana-associated IPs jumped to 31.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

By subscribing, you accept our Terms & Privacy Policy.

“That’s particularly interesting to me because it shows that the operator, the developer, hasn’t gotten bored of it, it’s something they’re continuing to iterate, they’re trying to expand its footprint,” Ashmore said. “What was most interesting was, as I analyzed this, how much of it pointed or alluded to the use of AI in its development.”

Takeaways. Kitana’s operator had “clearly” been using AI tools to help write their coding, Ashmore said, decreasing the technical barrier to entry.

“Previously, ransomware, malware…fraud platforms, they would be written by someone who was an expert in coding,” Ashmore said, adding that with AI, “it’s significantly easier for adversaries to create these kind of platforms, these kinds of tools nowadays; but in saying that, it doesn’t remove the other elements of threat actors who grow in their maturity and their sophistication.”

To better mitigate against incidents like Kitana, Ashmore suggested that IT professionals monitor customer complaints. For example, if there are online reports from customers who did not receive the right product (or never received a product), it could alert the cybersecurity team to other domains impersonating a brand.

“You need to be aware that these complaints from customers, while they might be numerous at times, take active steps to try and investigate them and establish whether or not this is something that is more than just a once-off scam that somebody fell for something very obvious,” Ashmore said. “Sometimes the report of something malicious might not come from where you expect it.”

About the author

Caroline Nihill

Caroline Nihill is a reporter for IT Brew who primarily covers cybersecurity and the way that IT teams operate within market trends and challenges.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

By subscribing, you accept our Terms & Privacy Policy.