Bluekit, a new artificial intelligence driven phishing platform, has just been launched and it is putting everyday users at serious risk. What makes this particularly alarming is it hands sophisticated attack capabilities to low level criminals who previously lacked the technical skill to pull them off.
Bluekit works by positioning itself between you and a legitimate service, a technique known as adversary in the middle. This allows criminals to intercept your password and your security code at the exact same moment you enter them, in real time, hijacking your active session before you even realize anything is wrong. Standard multi factor authentication, offers no protection against this.
What To Watch Out For
Bluekit generates highly convincing fake login pages for over 40 platforms, including Gmail, Outlook, iCloud, and GitHub. These are not crude imitations. They are designed to fool even careful users.
Deceptive URLs and Typosquatting: Before entering any credentials, closely examine the web address. This is where Bluekit and typosquatting converge into a particularly dangerous combination. Typosquatting is the practice of registering domain names nearly indistinguishable from legitimate ones, built on predictable human error. One swapped character. One missing letter. One extra keystroke is all it takes. Bluekit takes this a step further by generating the fake login page automatically once you land on the spoofed domain, meaning the criminal does not even need to build the site manually. The domain does the misdirecting and Bluekit handles the interception
Attackers also exploit search engines and increasingly AI generated summaries, seeding fraudulent domains with content designed to rank above the real thing. A victim who searches for a login page rather than typing the address directly may end up on a criminal controlled site without ever suspecting anything is wrong. The address bar looks almost right. The branding looks perfect. And by the time credentials are entered, the session is already compromised.
The rule is simple. Never search for a login page. Never click a link sent to you. Type the official address directly into your browser every single time.
- Urgency and Pressure: Be suspicious of any message claiming your account will be deleted or suspended unless you act immediately. Legitimate services do not operate this way. That manufactured urgency is designed to override caution and push you toward clicking before you think.
- Unexpected MFA Prompts: If a security code arrives when you have not attempted to log in anywhere, treat it as a red flag. Someone may already be feeding your credentials into a fake page at that very moment.
Essential Protection
Text message codes are no longer a reliable line of defense against automated attacks like this. You need to take stronger steps now.
- Switch to Passkeys: Biometric logins and passkeys are resistant to interception because there is no code being transmitted that a criminal can capture.
- Use Hardware Security Keys: For your most important accounts, a physical security key ensures that even if your password is stolen, a remote attacker cannot get in.
- Navigate Directly: Never click a link in an email or text message. Type the official web address directly into your browser every single time.
Part of a Wider Criminal Ecosystem
Bluekit does not exist in isolation. It is the latest product in a rapidly expanding criminal marketplace that packages sophisticated fraud tools and sells them to anyone willing to pay a subscription fee. This model has a name. It is called Scam as a Service, and it has been quietly industrialising cybercrime for years.
GhostGPT was one of the earlier examples to gain widespread attention. It is an uncensored artificial intelligence tool sold on dark web markets and Telegram channels, purpose built to write convincing phishing emails, craft malware code, and generate fraudulent business communications without the ethical restrictions built into legitimate AI platforms. Where a standard AI will refuse to help a criminal compose a deceptive message, GhostGPT will not. It simply does the job. It lowers the barrier to entry for anyone looking to launch an email phishing campaign without knowing how to write one.
FraudGPT followed a similar path. Marketed openly on dark web forums, it was advertised with a feature list that read like a criminal's shopping catalogue, including the ability to create undetectable malware, write scam landing pages, and generate phishing content tailored to specific targets. Like GhostGPT, it requires no technical expertise. You describe what you want and the tool builds it for you.
WormGPT was another early entrant, specifically engineered to assist with business email compromise, one of the most financially damaging forms of cybercrime in existence. It helped criminals impersonate executives and suppliers convincingly enough to authorize fraudulent wire transfers.
What Bluekit adds to this ecosystem is the live interception layer. Where GhostGPT and FraudGPT help criminals construct the bait, Bluekit automates the catch. It does not just create a convincing fake login page. It sits in the middle of a real session, captures everything in real time, and hands an attacker a live authenticated account. That is a meaningful escalation. Previous tools required the victim to hand over their credentials and then for the criminal to use them before the window closed. Bluekit collapses that gap entirely.
Taken together, these platforms represent the full industrialization of phishing. The emails are written by AI. The fake pages are generated by AI. The session interception is automated. A criminal with minimal skill, a modest budget, and a Telegram account can now run a campaign that would have required a sophisticated operation just a few years ago.
The Age Gating Connection
There is another dimension to this threat most coverage is missing entirely, and it connects directly to something already underway in Australia, North America and beyond.
Governments are legally mandating operating systems become identity checkpoints. Laws such as California's Digital Age Assurance Act are requiring devices verify the age of their users before granting access to certain content. The intent is to protect children. The consequence is every user now expects to encounter verification prompts during device setup, app access, and account management. That expectation is a gift to criminals running platforms like Bluekit.
This is where Verishing comes in. Verishing describes the tactic of impersonating a legitimate system-level verification prompt in order to extract identity documents and personal data from an unsuspecting user. It is phishing dressed in the clothing of a legal compliance requirement. Because users have been conditioned to expect these prompts, they comply. They upload their driver's licence. They submit their facial biometric. They enter their credit card details to prove adulthood. And in a Verishing attack, every one of those documents goes directly to an identity theft operation.
Bluekit is effectively a Verishing engine. The adversary in the middle technique it uses does not just steal a password. It captures the entire verification session in real time. A fake age verification page built on Bluekit's infrastructure is indistinguishable from a legitimate one. The criminal does not get your login. They get your identity.
The connection to GhostGPT and FraudGPT makes this worse. Those tools generate the initial message, the convincing email or push notification telling you your device is out of compliance with state or provincial law and you must verify immediately. Bluekit then handles the interception when you click through. The AI writes the bait. The platform steals the catch. The legal mandate provides the pretext making the whole operation believable.
Awareness is your first line of defense. Caution is your strongest weapon.
- Log in to post comments