With the promise of stealing authentication credentials to get around multi-factor authentication (MFA) on Apple, Microsoft, Google, Facebook, Twitter, GoDaddy, GitHub, and even PyPI, a reverse-proxy phishing-as-a-service (PaaS) platform named EvilProxy has surfaced. The service makes it possible for low-skill threat actors to steal internet accounts that are otherwise well-protected since they don’t know how to set up reverse proxies.
Reverse proxies are servers that stand in the way of a targeted victim and a trusted authentication endpoint, such as a login page for a business. The reverse proxy shows the original login form, relays requests, and returns replies from the business website when the victim connects to a phishing page. The victim is sent to the actual platform’s server after providing their credentials and MFA on the phishing page, where they are logged in and receive a session cookie. The proxy used by the threat actor can also steal the session cookie holding the authentication token because it is in the middle of the process. Bypassing the set-up of multi-factor authentication security measures, the threat actors can then log in to the website using this authentication cookie as the user.
Sophisticated APT groups have used reverse proxies to get around MFA safeguards on target accounts for some time now. Some of these organizations use their bespoke tools, while others use easier-to-use kits like Modlishka, Necrobrowser, and Evilginx2. These phishing frameworks differ from EvilProxy in that the latter is easier to set up, provides in-depth training and instructional videos, has an intuitive graphical user interface, and offers a wide variety of cloned phishing sites for well-known online businesses.
According to cybersecurity company Resecurity, EvilProxy provides a simple-to-use GUI where threat actors can set up and manage phishing campaigns and all the information that goes with them. The service asks for $150 for ten days, $250 for twenty days, or $400 for a month-long campaign in exchange for the promise to obtain usernames, passwords, and session cookies. Attacks against Google accounts are more expensive, costing $250/450/600.
Although the service is frequently advertised on several Clearnet and dark web hacking communities, some potential customers are probably turned down since the operators screen the clients. Resecurity claims that each customer arranges their payment for the service via Telegram. Once the deposit is paid, the consumer gains access to the portal housed on the onion network (TOR). Resecurity’s evaluation of the platform reveals that EvilProxy also provides VM, anti-analysis, and anti-bot protection to weed out erroneous or unwanted visits to the phishing sites it hosts.
“The bad actors are using multiple techniques and approaches to recognize victims and to protect the phishing-kit code from being detected,” said Resecurity. “Like fraud prevention and cyber threat intelligence (CTI) solutions, they aggregate data about known VPN services, Proxies, TOR exit nodes and other hosts which may be used for IP reputation analysis (of potential victims).”
Reverse-proxy technologies are becoming more popular among threat actors as MFA acceptance rises. The advent of a platform that streamlines everything for criminals is terrible news for security experts and network administrators. For the time being, the only solution to this issue is to use client-side TLS fingerprinting to detect and block requests from man-in-the-middle attacks. The industry’s state of its implementation, meanwhile, is out of step with the changes. Thus, platforms like EvilProxy effectively fill the knowledge gap and give low-level threat actors a cheap approach to stealing valuable accounts.
