The multifactor authentication-busting tool ‘EvilProxy’ has been actively used by cybercriminals to target employees of Fortune 500 companies, according to new research. This includes use against services by Apple, Microsoft and GitHub.

EvilProxy
EvilProxy can create a backdoor into servers of commonly used software. (Photo by ryasick/iStock)

EvilProxy works by stealing session cookies, a technique known as session hijacking, that then lets the criminals bypass multifactor authentication. This leaves the victims more exposed as MFA is considered the gold standard when it comes to protecting user accounts, says the report from US security company Resecurity

Branded “phishing-as-a-service”, the toolkit first appeared on the dark web in May this year when the group behind it released a demo video that described how it could be put to use in delivering advanced phishing links, even against systems not normally vulnerable to attack.

To achieve its goals, EvilProxy uses session hijacking to steal a session cookie, a piece of information stored by a web browser that lets a service know that someone has been authenticated. With this cookie stolen the attacker can access it as a service without the need for an MFA token.

The group put the cookie interception tool into a phishing kit that is sold as a subscription service, which Resecurity CEO Gene Yoo says increases its appeal among cybercriminals and leads to wider distribution.

Researchers found it has been configured to target Google, iCloud, Dropbox, LinkedIn, Yandex, Facebook, Twitter and WordPress among others and can target users of services that are involved in the software supply chain. This includes GitHub, the Python Package Index, RubyGems and Javascript package manager NPM.

This level of targeting means it could be used to tamper with software packages and install backdoors in the software that could give cybercriminals greater access than would otherwise be the case.

EvilProxy has been published and advertised on a number of hacking forums, advertised as a “security awareness tool” that can improve a company’s resilience against phishing attacks. Its described by the group running it as a “Phishing as a Service (PhaaS) program for all employees of the organisation”.

EvilProxy uses a reverse proxy server

“These tactics allow cybercriminals to capitalise on the end users’ insecurity, who assume they’re downloading software packages from secure resources and don’t expect it to be compromised,” Resecurity researchers wrote in a blog post.

It works by setting up a reverse proxy that sits between a phishing site and the real service, intercepting data sent by the real service. A user is sent a phishing link, they click the link and see the login page they expect, when entering the login details the credentials and the MFA token are sent on to the real service. It gives back a session cookie captured by the reverse proxy.

Also known as an adversary-in-the-middle campaign, this type of attack was discovered being used to target C-suite executives via a flaw in Microsoft’s Office 365 that let attackers monitor all emails and insert themselves in a thread to convince victims to send money to a criminal bank account.

By utilising a real service and just capturing cookies as they pass through to the user the hacker can “harvest the actual valid session cookies and bypass the need to authenticate with usernames, passwords and MFA tokens,” explained Yoo.

The cookies can expire or be invalidated, but while valid they provide the hacker with wide-scale access to their victims’ accounts and services.

Phishing as a service

The tool is sold as a service, with cybercriminals purchasing access to a particular service login interface for a set number of days. It generates the phishing URLs but it is the responsibility of the attacker to get them out to victims.

Like its more legitimate service subscription counterparts, EvilProxy even offers analytics via a portal allowing the hacker to monitor traffic flow, data collection and monitor campaigns.

“The payment for EvilProxy is organised manually via an operator on Telegram. Once the funds for the subscription are received, they will deposit to the account in customer portal hosted in TOR. The kit is available for $400 per month in the Dark Web hosted in TOR network,” wrote Resecurity.

It is a difficult tool to shut down, according to Yoo, who said they are constantly changing the surface of infrastructures including the domains and hosts they use for the front end. “The bad actors are using multiple techniques and approaches to recognise victims and to protect the phishing-kit code from being detected,” he said.

“Like fraud prevention and cyber threat intelligence (CTI) solutions, they aggregate data about known VPN services, Proxies, TOR exit nodes and other hosts which may be used for IP reputation analysis (of potential victims). In the case they suspect a bot or researcher, they drop the connection or redirect it to a specific host.”

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.

Read more: RSOCKS botnet taken down as FBI hits Russian hackers