Cybersecurity researchers just uncovered another phishing-as-a-service [PaaS] platform. Called EvilProxy, the platform is specialized in reverse proxy phishing campaigns aiming to circumvent MFA [multi-factor authentication] mechanisms.
EvilProxy: Reverse Proxy Phishing-as-a-Service Platform
In computer networking, reverse proxy is a server situated in front of other web servers with the purpose of forwarding the client requests to those web servers. Regarding phishing, the concept is the same – threat actors take victims to a phishing page, utilize the reverse proxy to obtain the legitimate content, including login pages, sniffing their traffic as the traffic passes through the proxy.
The EvilProxy phishing-as-a-service platform, also known as Moloch, was discovered by cybersecurity firm Resecurity. “EvilProxy actors are using Reverse Proxy and Cookie Injection methods to bypass 2FA authentication – proxyfying victim’s session. Previously such methods have been seen in targeted campaigns of APT and cyberespionage groups, however now these methods have been successfully productized in EvilProxy which highlights the significance of growth in attacks against online-services and MFA authorization mechanisms, the firm’s report pointed out.
The report itself is based on an ongoing investigation dedicated to attacks against employees from Fortune 500 companies. Thanks to the thorough investigation, the researchers collected “substantional knowledge” about EvilProxy’s network infrastructure and modules thanks to which attackers conduct their malicious operations. The initial attacks associated with the PaaS platform were against Google and MSFT customers with MFA enabled on their accounts. In these cases, SMS and Application Token were the authentication choices of the attacked customers.
“The first mention of EvilProxy was detected early May 2022, this is when the actors running it released a demonstration video detailing how it could be used to deliver advanced phishing links with the intention to compromise consumer accounts belonging to major brands such as Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex and others,” the report added. However, EvilProxy also can be utilized in phishing attacks against Python Package Index (PyPi).
EvilProxy is yet another example of a “cost-effective and scalable solution” that enables advanced phishing operations against individuals of popular online services that support MFA. The researchers believe that these services will only further fuel ATO [account takeover] and BEC [business email compromise] activities. Another example of a PaaS platform is the so-called Robin Banks. The service targets victims via SMS and email in an attempt to gain access to credentials pertaining to Citibank, Google and Microsoft accounts.
According to a recent IronNet’s report, the primary motivation for scammers is financial. The Robin Banks kit, however, also tries to obtain credentials for Google and Microsoft accounts, indicating it could also be used by more advanced threat actors looking to gain initial access to corporate networks. Once such access is granted, cybercriminals can carry out ransomware attacks as well as other post-intrusion malicious activities.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: