A criminal attempting to steal data with a fishing rod from an unsuspecting user.

EvilProxy Phishing Attacks On US Executives

EvilProxy, a phishing-as-a-service (PaaS) toolkit, has been continuously active in the cybercrime landscape since at least September 2022. Its primary purpose is to provide attackers with a method to bypass two-factor authentication through the clever use of reverse proxy technology.

Attackers used fraudulent links to a fake hiring website hosted on Indeed. They were interested in stealing the login information of top executives from various industrial sectors.

The EvilProxy service creates a phishing website to meet the attacker’s preferred requirements in order to execute this scheme. The toolkit is only made available online once this setup is completed and is ready to carry out its malicious activities.

The moment a user redirects to the phishing page, they have to provide both their login information and 2FA code. The toolkit then uses this information in real-time to launch a session takeover on the actual site that the attacker is trying to exploit.

Menlo Security, a cybersecurity research team, made an important finding that was brought to light a week ago through the publication of their most recent alert. They studied the complex workings of a campaign that started in July and continued through August 2023 in this full investigation.

They found that there was a significant focus on executives, particularly those in the C-suite. The target industries for this campaign included manufacturing, property management, insurance companies, banking and financial services, and real estate.

Ravisankar Ramprasad, a security analyst at Menlo Security, mentioned:

The threat actors leveraged an open redirection vulnerability on the job search platform indeed.com, redirecting victims to malicious phishing pages impersonating Microsoft.

Microsoft, using the code name Storm-0835, monitors individuals who are responsible for the adversary-in-the-middle (AiTM) phishing kit. These threat actors are thought to have hundreds of customers.

Microsoft further said in a report:

These cyber criminals pay monthly license fees ranging from $200 to $1,000 USD and carry out daily phishing campaigns. Because so many threat actors use these services, it is impractical to attribute campaigns to specific actors.

Evilproxy phishing-as-a-service

The EvilProxy toolkit facilitates the redirection of victims to a fake Microsoft login page after clicking the provided URL. The target unwittingly submits their login information and 2FA code on the phishing page.

The toolkit promptly utilises these credentials and the 2FA data on the server side to generate an authorised session cookie for the attacker. The data associated with the victim on the Microsoft website can then be accessed using this cookie.

EvilProxy as Reverse Proxy in Attack Chain
EvilProxy as Reverse Proxy in Attack Chain (Menlo Security)

This can be achieved by taking advantage of an open redirect vulnerability. These vulnerabilities arise when a website doesn’t check user input, which can cause visitors to be redirected to random websites and bypass the website’s security systems.

Flow of Phishing Redirections
Flow of Phishing Redirections (Menlo Security)

The phishing toolkit comprises an API that makes use of Microsoft’s Ajax information Delivery Network, allowing for the dynamic retrieval and presentation of JavaScript information.

It uses an HTTP POST request to send the victim’s base64-encoded email address and a session identifier, which is in sync with how the EvilProxy phishing toolkit usually operates. The kit additionally makes use of the FingerprintJS library for the purpose of fingerprinting browsers in addition to these strategies. Cybercriminals may enhance the ability of their phishing operations using this strategy.

According to Ravisankar Ramprasad:

The parameters in the URL that follow the ‘?’ are a combination of parameters unique to indeed.com and the target parameter whose argument consists of the destination URL. Hence the user upon clicking the URL ends up getting redirected to example.com. In an actual attack, the user would be redirected to a phishing page.

A campaign with similar characteristics that used EvilProxy was uncovered in April. The approach targeted senior executives and used fraudulent techniques using reputable businesses like Adobe and DocuSign. The goal was to breach the 1.5 million employee workforce’s cloud-based Microsoft 365 accounts over a network of over 100 organisations.

It is important to train employees to distinguish between phishing emails and identify suspicious links inside emails. In cases of confusion, employees should have an easy way to submit suspected emails to the IT security team for additional investigation, such as a clickable button embedded into their email client.

Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology (none of which can spot 100% of phishing emails), you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks. 

Recent posts