Understanding EvilProxy: The Phishing Threat Evolving
Cyber Threat Intelligence Report: EvilProxy
EvilProxy is a phishing-as-a-service (PhaaS) toolkit that uses reverse proxy phishing to steal credentials and bypass multi-factor authentication (MFA). EvilProxy has been used by attackers since mid-2022.
Here is how EvilProxy works:
- Attackers send a phishing email that leads users to a seemingly legitimate login page.
- The user enters their credentials.
- Since the site is proxied, the attackers can also steal the user’s OTP information when they enter it.
- The attackers now have control of the user’s account.
Reverse Proxy
EvilProxy is a worrying development because websites are increasingly using OTP/MFA authentication, making traditional phishing techniques less effective. Attackers have changed their tactics. They are now moving away from creating fake websites. Instead, they use EvilProxy to steal login information from legitimate websites.
Here are some key features of EvilProxy:
- It is sold on dark web marketplaces.
- It allows attackers to create phishing pages that look like real login pages.
- Attackers use legitimate services like Cloudflare to disguise malicious traffic.
- It can be used to target high-profile organizations and individuals.
Here are some ways to mitigate the risk of EvilProxy attacks:
- Train employees to recognize phishing attempts.
- Implement MFA and conditional access policies.
- Proactively search for signs of attacks.
Arkose Labs offers a phishing protection solution that can help protect against EvilProxy attacks. The solution uses device fingerprinting technology to detect and block reverse proxies in real time. It also helps businesses find phishing websites that are using their brand name.
Recent Activities
- Increased Activity: Proofpoint has observed a significant surge in EvilProxy campaigns, exceeding a million attacks monthly.
- Targeted Sectors: Financial services, government agencies, and C-suite executives are primary targets.
- Techniques: Attackers use legitimate services like Cloudflare to mask malicious traffic, hindering detection efforts.
- Beginning Phishing Email: Targets get deceptive emails disguised as legitimate services like Cloudflare or Adobe.
- Redirects and Decoding: Users are led through multiple websites, including attacker-controlled redirect sites, obscuring the attack’s origins.
- Phishing Page: Users land on a convincingly crafted phishing page mimicking the real login page.
- Session Hijacking: Attackers capture session cookies, bypassing MFA, granting access to the victim’s account, enabling further malicious activities.
Reverse Proxy
- User Education: Conduct comprehensive training for employees to recognize phishing attempts. Foster a security-aware culture. Encourage the reporting of suspicious emails.
- MFA and Conditional Access: Implement robust MFA and conditional access policies, strengthening account security, and minimizing unauthorized access.
- Threat Hunting: Proactively monitor systems for indications of AiTM attacks and session hijacking attempts, enabling early detection and response.
- Incident Response: Set up an effective incident response plan. Take prompt actions like revoking compromised session cookies. Roll back any MFA modifications made by attackers. Contain the breach.
EvilProxy AiTM phishing attacks pose a significant and evolving threat to organizations and individuals. To mitigate the risks linked to these sophisticated attacks, implementing a multi-layered security approach is crucial. This approach should encompass technical safeguards, user awareness, and proactive threat hunting. Organizations need to stay informed about emerging threats. They should adopt best security practices. Vigilance is necessary to protect their sensitive data and systems.
You must be logged in to post a comment.