The EvilProxy Phishing Platform Offers a 2FA Bypass for Apple, Google, Microsoft, etc.

Resecurity experts discovered the EvilProxy phishing platform, which offers reverse proxies to unskilled attackers and promises to steal authentication tokens to bypass multi-factor authentication (MFA) at Apple, Google, Microsoft, Twitter, GitHub, GoDaddy, Facebook and so on.

Let me remind you that we also wrote that SVCReady Malware Loader Uses Microsoft Office Documents for Attack, as well as that Beta Version of Raccoon Stealer 2.0 Malware with Improved Features Is Available for Purchase.

The way EvilProxy works is quite simple: when a victim visits a phishing page, the reverse proxy shows them a legitimate login form, redirects requests, and returns responses from the company’s real website. When the victim enters their credentials and MFA code on the phishing page, they are also redirected to the server of the real company, and the session cookie is returned in response.

As a result, the attacker’s proxy gets the opportunity to steal this cookie containing the authentication token. This token can then be used to log into the site on behalf of the affected user or to bypass the protection of multi-factor authentication.

Phishing Platform EvilProxy

Hackers have been using reverse proxies to bypass MFAs for quite some time now. Some groups even create their own tools for this purpose, while others use easier-to-deploy phishing kits like Modlishka, Necrobrowser, and Evilginx2.

According to the researchers, the difference between these phishing kits and EvilProxy is that the latter is even easier to deploy, as it offers detailed training videos and tutorials, has a user-friendly graphical interface, and a rich selection of cloned phishing pages for popular Internet services.

EvilProxy promises its customers that they will be able to steal usernames, passwords, and session cookies for as little as $150 for 10 days, $250 for 20 days, or $400 for a monthly subscription. Interestingly, attacks on Google accounts cost more — $250/450/600, respectively.

In the video below, Resecurity analysts demonstrate how an attack on a Google account through EvilProxy will unfold.

The researchers write that EvilProxy is actively advertised on various hacker forums (including XSS, Exploit and Breached), platform operators carefully check future customers, and payment for services is discussed individually via Telegram.

Phishing Platform EvilProxy

Experts tested the fishing platforms and confirmed that EvilProxy additionally offers virtual machines, anti-analysis, and bot protection to its customers to filter out unwanted visitors from phishing pages.

Attackers use several methods to recognize victims and protect their phishing kit code. As fraud prevention and cyber threat intelligence solutions, they collect data on known VPN services, proxy servers, TOR exit nodes, and other hosts that can be used to analyze IP (potential victims) reputation.the Resecurity report says.

Leave a Comment

About William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.