Resecurity experts discovered the EvilProxy phishing platform, which offers reverse proxies to unskilled attackers and promises to steal authentication tokens to bypass multi-factor authentication (MFA) at Apple, Google, Microsoft, Twitter, GitHub, GoDaddy, Facebook and so on.
Let me remind you that we also wrote that SVCReady Malware Loader Uses Microsoft Office Documents for Attack, as well as that Beta Version of Raccoon Stealer 2.0 Malware with Improved Features Is Available for Purchase.
The way EvilProxy works is quite simple: when a victim visits a phishing page, the reverse proxy shows them a legitimate login form, redirects requests, and returns responses from the company’s real website. When the victim enters their credentials and MFA code on the phishing page, they are also redirected to the server of the real company, and the session cookie is returned in response.
As a result, the attacker’s proxy gets the opportunity to steal this cookie containing the authentication token. This token can then be used to log into the site on behalf of the affected user or to bypass the protection of multi-factor authentication.
Hackers have been using reverse proxies to bypass MFAs for quite some time now. Some groups even create their own tools for this purpose, while others use easier-to-deploy phishing kits like Modlishka, Necrobrowser, and Evilginx2.
According to the researchers, the difference between these phishing kits and EvilProxy is that the latter is even easier to deploy, as it offers detailed training videos and tutorials, has a user-friendly graphical interface, and a rich selection of cloned phishing pages for popular Internet services.
EvilProxy promises its customers that they will be able to steal usernames, passwords, and session cookies for as little as $150 for 10 days, $250 for 20 days, or $400 for a monthly subscription. Interestingly, attacks on Google accounts cost more — $250/450/600, respectively.
In the video below, Resecurity analysts demonstrate how an attack on a Google account through EvilProxy will unfold.
The researchers write that EvilProxy is actively advertised on various hacker forums (including XSS, Exploit and Breached), platform operators carefully check future customers, and payment for services is discussed individually via Telegram.
Experts tested the fishing platforms and confirmed that EvilProxy additionally offers virtual machines, anti-analysis, and bot protection to its customers to filter out unwanted visitors from phishing pages.