Resecurity experts discovered the EvilProxy phishing platform that offers reverse proxies to unskilled attackers and promises to steal authentication tokens to bypass multi-factor authentication (MFA) at Apple, Google, Microsoft, Twitter, GitHub, GoDaddy, Facebook* and so on.
The way EvilProxy works is quite simple: when a victim visits a phishing page, the reverse proxy shows them a legitimate login form, redirects requests, and returns responses from the company’s real website. When the victim enters their credentials and MFA code on the phishing page, they are also redirected to the server of the real company, and the session cookie is returned in response.
As a result, the attacker’s proxy gets the opportunity to steal this cookie containing the authentication token. This token can then be used to log into the site on behalf of the affected user, bypassing the protection of multi-factor authentication.
Hackers have been using reverse proxies to bypass MFAs for quite some time now. Some groups even create their own tools for this purpose, while others use easier-to-deploy phishing kits like Modlishka, Necrobrowser, and Evilginx2.
According to the researchers, the difference between these phishing kits and EvilProxy is that the latter is even easier to deploy, offers detailed training videos and tutorials, has a user-friendly graphical interface, and a rich selection of cloned phishing pages for popular Internet services.
EvilProxy promises its customers that they will be able to steal usernames, passwords, and session cookies for as little as $150 for 10 days, $250 for 20 days, or $400 for a monthly subscription. Interestingly, attacks on Google accounts cost more — $250/450/600, respectively.
In the video below, Resecurity analysts demonstrate how an attack on a Google account through EvilProxy will unfold.
The researchers write that EvilPro is actively advertised on various hacker forums (including XSS, Exploit and Breached), platform operators carefully check future customers, and payment for services is discussed individually via Telegram.
Testing of the phishing platform by experts confirmed that EvilProxy additionally offers virtual machines, anti-analysis, and bot protection to its customers to filter out unwanted visitors from phishing pages.
“Attackers use several methods to recognize victims and protect their phishing kit code. As fraud prevention and cyber threat intelligence solutions, they collect data on known VPN services, proxy servers, TOR exit nodes, and other hosts that can be used to analyze IP (potential victims) reputation,” the Resecurity report says.