A new reverse-proxy Phishing-as-a-Service (PaaS) service platform ‘EvilProxy’, capable of bypassing multi-factor authentication on various online services such as Apple, Microsoft, Google, Twitter, GoDaddy, PyPI and more, was discovered by cybersecurity firm Resecurity. According to reports, the service has been created for low-level threat actors unskilled in setting up full-fletched reverse proxy attacks and has become a high-value item in the dark web markets as it is cheap and easy to use.
What is EvilProxy?
The threat actors of EvilProxy use reverse proxy and cookie injection techniques to bypass 2FA (two-factor authentication). According to sources, the methods used in EvilProxy resonate with targeted campaigns of advanced persistent threats (APTs), indicating the popularization of the technique with low-level threat actors.
These methods have also increased on the dark web markets and shown significant growth in the attacks against organizations that use MFA authorization mechanisms. EvilProxy started its first operation in early May 2022 and has targeted several fortune 500 organizations since then. The creators of EvilProxy shared a video on underground forums where they released a demonstration of how to use the service to deliver advanced phishing links.
What is a reverse proxy?
Reverse proxies are servers created between the target device and a legitimate authentication endpoint. The threat actor uses a phishing page designed to trick the user into giving the logging information and completing the MFA to access the company’s website. Once the user has entered the required information, the phishing page forwards the data to the actual service and returns a session cookie.
Since the proxy sits in the middle of the exchange, it can steal the session cookie containing the MFA authentication token. Once the TA has access to the authentication cookie, it can bypass the multi-factor authentication and log in to the sites to steal information.
Why is EvilProxy popular among TAs?
There are various reasons why EvilProxy has become a popular item in the dark web forums. Though several other APT groups have displayed reverse proxies using tools like Modlishka, and Necrobrowser, the sole reason why new threat actors prefer EvilProxy is due to its simplicity and ease of access.
EvilProxy offers instructional videos, tutorials, and an easy-to-navigate graphical user interface (GUI), making reverse-proxy attacks easier. It also has its library of cloned phishing pages on popular websites and online service providers.
Moreover, EvilProxy can steal usernames, passwords, and cookies. Here take a look at the subscription packages offered by the service. The starting subscription package goes as low as USD 150 for ten days, followed by other plans.
- USD 150 (ten days)
- USD 250 (20 days)
- USD 400 (30 days)
- USD 250/450/600 for Google Account attacks