A new reverse-proxy phishing-as-a-service entity dubbed EvilProxy has promised to steal authentication tokens to avoid multi-factor authentication on numerous platforms such as Google, Apple, PyPI, Facebook, Twitter, GoDaddy, and Microsoft.
EvilProxy allows inexperienced threat actors who do not know how to set up reverse proxies to steal well-secured online accounts.
Reverse proxies are servers between a legitimate authentication endpoint and a targeted victim, such as a company’s login form. Once a victim connects to a phishing page, the reverse proxy portrays the original login forms, forwards requests, and returns responses from the company’s site.
If the victim inputs their credentials and MFA to the phishing page, they will be forwarded by the hackers to the legitimate platform, where the user will log in, and a session cookie is retrieved.
Unfortunately, threat actors’ proxy is still in the middle; hence, it can still snatch the session cookie containing the authentication token. The adversaries could use this authentication cookie to log in to the website as the user.
Therefore, the actors could bypass configured multi-factor authentication protection if they successfully acquire the session cookies.
Most well-rounded advanced persistent threat groups have been adopting reverse proxies to bypass MFA securities on targeted accounts. Some actors use their self-developed tools while others apply readily available tools such as Evilginx2 and Necrobrowser.
EvilProxy is a user-friendly service which appeals to many malicious threat actors.
EvilProxy differentiates itself from other phishing frameworks by being a more straightforward service to deploy. It also offers detailed instructional videos and guides, which makes it a foolproof and user-friendly graphical interface with a selection of cloned phishing pages for well-known internet services.
A researcher reported that EvilProxy endorses an easy-to-utilise GUI in which the threat actors can set up and manage phishing campaigns and all the information that underpins them.
This service assures its customer to steal usernames, session cookies, and passwords for low prices and can be found on selected hacking forums. Other benefits are actively promoted on various dark web hacking forums, but some operators vet their clients, so few prospective customers are rejected.