AL2022_58 New EvilProxy Service Bypasses Multi-Factor Authentication on popular sites (9th September 2022)

Description  

A new phishing as a service (PaaS) platform called EvilProxy has surfaced on the Dark Web and boasts advanced phishing techniques capable of stealing credentials and bypassing multi-factor authentication (MFA) on popular websites. 

Summary and how it works? 

Evilproxy is a phishing as a service (PaaS) platform where it is offered on a subscription basis. Threat actors can choose a service or website to target and the time period of the subscription which are 10, 20 or 31 days. The price depends on the service that is targeted and the time period chosen. The price for a subscription to phish against Google accounts for 31 days can amount to as much as $600. Payment for the EvilProxy subscription is made via an operator on Telegram and the EvilProxy account is made available in a customer portal hosted in the onion router (TOR). EvilProxy sets itself apart from other similar phishing frameworks because it is easier to deploy, provides multiple tutorials and guides for its customers on how to easily setup and configure the proxy servers, features a user-friendly graphical interface and a selection of cloned phishing pages of popular websites. Some of the services and websites that can be compromised by EvilProxy include Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo and Yandex among others. 

Evilproxy makes use of a reverse proxy server that sits between the targeted victim’s device and a legitimate website authentication point. The victim is presented with a phishing page where the reverse proxy presents the legitimate login form of the website and forwards requests and returns responses from the legitimate website. Credentials and the multi-factor authentication are inserted by the victim It is then forwarded to the legitimate website’s server and the victim is logged in as per normal. However, when the session cookie is returned, the reverse proxy sniffs the session cookie containing the authentication token. This stolen authentication token can be used by threat actors to log in to the website with the victim’s account, bypassing all multi-factor authentication protection. 

Indicators of Compromise 

For a list of IOCs for this malware campaign, please see the following URL: https://resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web 

Remediation 

To circumvent this type of malware, users are advised to follow the steps below: 

  • Use of a Virtual Private Network. A VPN can be used to create a secure environment for sensitive information on network. The traffic will be encrypted, making it hard for threat actors to decipher. 

  • Be wary of spoofed website forms and pages. The phishing page will be very identical to the legitimate webpage, however, there may be subtly differences especially in the URL. Be sure to examine websites carefully before entering sensitive information. 

  • Ensure to visit websites with a secure HTTP connection using SSL (Secure Socket Layer) technology. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.  

PDF Download: EvilProxy Service Bypasses Multi-Factor Authentication.pdf

References