EvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark Web
Following the recent Twilio hack leading to the leakage of 2FA (OTP) codes, cybercriminals continue to upgrade their attack arsenal to orchestrate advanced phishing campaigns targeting users worldwide. Resecurity has recently identified a new Phishing-as-a-Service (PhaaS) called EvilProxy advertised in the Dark Web. On some sources the alternative name is Moloch, which has some connection to a phishing-kit developed by several notable underground actors who targeted the financial institutions and e-commerce sector before.
EvilProxy actors are using Reverse Proxy and Cookie Injection methods to bypass 2FA authentication – proxyfying victim’s session. Early occurrences of EvilProxy have been initially identified in connection to attacks against Google and MSFT customers who have MFA enabled on their accounts – either with SMS or Application Token.
EvilProxy uses the “Reverse Proxy” principle. The reverse proxy concept is simple: the bad actors lead victims into a phishing page, use the reverse proxy to fetch all the legitimate content which the user expects including login pages – it sniffs their traffic as it passes through the proxy. This way they can harvest valid session cookies and bypass the need to authenticate with usernames, passwords and/or 2FA tokens.