Seeing a surge in pages.dev AiTM infrastructure today. Fortunately Cloudflare are squashing these quite well, but inevitably some will make their way through.

The AiTM theme of piggybacking off of trusted services continues, we've recently seen seen one actor we track pivot from Azure FD to using storage.googleapis[.]com ...

The surge to 30,000 AiTM infrastructure detections on Wednesday this week was very much driven by pages[.]dev and workers[.]dev use. Rather than playing whack-a-mole we've been blocking those domains and so far have only blocked AiTM nothing legit!! YMMV #AiTM #Cloudflare

If you want to block ShadowCaptcha campaigns blocking these three domains will help: - cloudshielders[.]com - analytiwave[.]com - analyticanoden[.]com There is heavy geo/user-agent/os detection going on, so you may not see click-fix but your users might #clickFix #shadowCaptcha

If you are the Bank of China today would be a good day to block the domain `bamkofchina[.]com` and disable logins from `4.197.155[.]162` #AiTM

Block login from AS24875 (1337 Services) and AS18450 (Evoxt) you'll squash some of the most prolific #voidproxy infrastructure. Block workers[.]dev you'll block a lot of frontend #voidproxy chains too. Aitm-Feed users can just toggle those on, takes 1 second!

178.130.47.0/24 is not your friend Global Connectivity Solutionos LLP (AS215540)

Amazon Prime Big deal days is coming... So are the credential capture campaigns. Amazon

We tracked #ClickFix infrastructure for a while. Turns out there is a lot of overlap with #AiTM infrastructure. Find our dataset of 13k+ hosts in this blog post: aitmfeed.com/r/RWx

Anydesk users being targeted. MSI posing as a PDF: anydesck[.]net 87.120.219[.]100 e23c7be37fb65ae83ff01e773637ef17f1534ea3 setup.pdf bosfortuy.ms

For these last few weeks AiTM activity calmed down after the onslaught from the weeks prior. However, Judging by this morning's detections things might be about to change again.

NDA's, invoices, document sharing remain very common themes of AiTM

Either Microsoft have migrated on to HostPapa infra and introduced typos in the process, or there is something that doesn't quite stack up with this host...

Okta based AiTM @ okta.cloudux[.]site - 88.216.68[.]85 - #AiTM

For a while we've been observing someone targeting certain theme parks with AiTM based attacks. Whilst we're not entirely sure of the end goal behind them it is probable that they overlap with general targeting of ticketing systems and platforms.

Malicious Amazon BlackFriday infrastructure being made ready to capture users credentials/payment details - ladnok[.]shop

Let's throw a positive out there, far fewer AiTM victims today 🙄 #CloudflareDown

Verifying identities is an increasingly common theme in #AiTM campaigns. Here is one from yesterday on that topic (this IP is a repeat offender, so definitely one to block authentication from):