A new Phishing-as-a-Service (PhaaS) called EvilProxy has emerged on the dark web that allows cyber criminals to attack users who have enabled multi-factor authentication (MFA) on their accounts.
The platform was first spotted in May 2022, when the threat actors behind it released a demo detailing how the service could be used to deliver phishing links to accounts associated with Apple, Google, Facebook, Microsoft, Instagram, Twitter, GitHub, GoDaddy, PyPi and other major brands.
“EvilProxy actors are using reverse proxy and cookie injection methods to bypass 2FA authentication – proxifying victim's session,” according to a new report from cybersecurity firm Resecurity.
EvilProxy uses the reverse proxy concept that works pretty simple: malicious actors direct victims to a phishing page, use the reverse proxy to lift all the legitimate content which the user expects including login pages - it sniffs their traffic as it passes through the proxy. This way they can harvest valid session cookies and bypass the need to authenticate with usernames, passwords and/or two-factor authentication (2FA) tokens, the researchers explained.
The service, which is being advertised on all major underground forums including XSS, Exploit and Breached, is offered on a subscription basis for 10, 20 or 31 days, with the payment managed manually via an operator on Telegram. The kit is available for $400 per month, the researchers said.
The portal of EvilProxy contains multiple tutorials and interactive videos regarding the use of the service and configuration tips, which allows even a low-skilled hacker to carry out an advanced phishing attack.
“While the sale of EvilProxy requires vetting, cybercriminals now have a cost-effective and scalable solution to perform advanced phishing attacks to compromise consumers of popular online services with enabled MFA. The appearance of such services in Dark Web will lead to a significant increase in ATO/BEC activity and cyberattacks targeting the identity of the end users, where MFA may be easily bypassed with the help of tools like EvilProxy,” Resecurity has warned.