BlackForce Phishing Kit: A New Threat Bypassing Multi-Factor Authentication
In August 2025, cybersecurity experts identified a formidable phishing tool named BlackForce, which has since posed significant risks to organizations globally. This advanced kit enables cybercriminals to extract login credentials and circumvent multi-factor authentication (MFA) through sophisticated Man-in-the-Browser (MitB) attacks.
Emergence and Accessibility
BlackForce surfaced in underground forums, notably on Telegram, where it is marketed for €200 to €300. Its affordability and user-friendly interface have attracted a broad spectrum of threat actors. The kit has been employed in attacks against prominent brands such as Disney, Netflix, DHL, and UPS, underscoring its effectiveness in real-world scenarios.
Technical Capabilities
BlackForce’s primary strength lies in its ability to execute MitB attacks. This technique allows attackers to intercept and manipulate communications between users and legitimate websites in real-time. By doing so, cybercriminals can capture one-time authentication codes sent via SMS, email, or authenticator apps, effectively nullifying the protective measures of MFA.
Evolution and Detection Evasion
Security analysts have documented at least five distinct versions of BlackForce, indicating continuous enhancements by its developers. The kit employs JavaScript files with cache-busting hashes, compelling browsers to download the latest malicious code. Notably, over 99% of this code comprises legitimate React and React Router components, lending an air of authenticity that aids in evading initial detection mechanisms.
Attack Mechanism
The BlackForce attack sequence is meticulously crafted:
1. Phishing Initiation: Victims receive emails containing links to counterfeit login pages that closely resemble legitimate sites.
2. Credential Capture: Upon entering their credentials, the information is immediately transmitted to the attacker via a command-and-control panel, often integrated with Telegram for real-time alerts.
3. MFA Interception: The attacker uses the stolen credentials to access the genuine service, triggering an MFA prompt. Simultaneously, BlackForce injects a fraudulent MFA page into the victim’s browser.
4. Code Harvesting: Unaware of the deception, the victim inputs their authentication code into the fake MFA page. The attacker captures this code instantly, facilitating unauthorized account access.
Advanced Features
Recent iterations of BlackForce have introduced session storage to maintain state across page reloads, enhancing the resilience of attacks. The kit also incorporates robust anti-analysis filters, blocking security researchers and automated scanners through User-Agent parsing and ISP blocklists.
Comparative Analysis
BlackForce is part of a growing trend of sophisticated phishing kits that challenge traditional security measures. For instance, the Tykit phishing kit impersonates Microsoft 365 login pages to harvest corporate credentials, utilizing SVG files as stealthy delivery mechanisms. Similarly, the Mamba toolkit exploits MFA in advanced phishing attacks, employing adversary-in-the-middle techniques to intercept authentication tokens. These developments highlight the escalating complexity of phishing threats and the need for adaptive security strategies.
Mitigation Strategies
To defend against advanced phishing tools like BlackForce, organizations should consider the following measures:
– Zero-Trust Architecture: Implement a security model that requires continuous verification of user identities and device integrity, regardless of location.
– Enhanced MFA Solutions: Adopt MFA methods resistant to interception, such as hardware tokens or biometric verification, to reduce reliance on easily compromised channels like SMS or email.
– User Education: Conduct regular training sessions to raise awareness about phishing tactics and encourage vigilance when handling unsolicited communications.
– Advanced Threat Detection: Deploy security solutions capable of identifying and mitigating MitB attacks and other sophisticated phishing techniques.
Conclusion
The emergence of BlackForce underscores the evolving nature of cyber threats and the continuous arms race between attackers and defenders. By understanding the mechanisms of such advanced phishing kits and implementing comprehensive security measures, organizations can better protect themselves against these insidious attacks.
