A new phishing-as-a-service offering on the dark web poses a threat to online accounts protected by multi-factor authentication, according to a blog posted Monday by an endpoint security company.
Called EvilProxy, the service allows threat actors to launch phishing campaigns with the ability to bypass MFA at scale without the need to hack upstream services, Resecurity researchers noted in the blog.
The service uses methods favored by APT and cyber espionage groups to compromise accounts protected by MFA. Such attacks have been discovered against Google and Microsoft customers who have MFA enabled on their accounts either via SMS text message or application token, according to the researchers.
Phishing links produced by EvilProxy lead to cloned web pages crafted to compromise accounts associated with a number of services, including Apple iCloud, Facebook, GoDaddy, GitHub, Dropbox, Instagram, NPM, PyPI, RubyGems, Twitter, Yahoo, and Yandex.
It’s highly likely the threat actors using EvilProxy aim to target software developers and IT engineers to gain access to their repositories with the end goal to hack “downstream” targets, the researchers wrote.
They explained that these tactics allow cybercriminals to capitalize on end users who assume they’re downloading software packages from secure resources and don’t expect them to be compromised.
Quicker, Faster, Better
“This incident poses a threat to software supply chains as it targets developers by giving the cybercriminal clients of the service the ability to launch campaigns against GitHub, PyPI, and NPM,” said Aviad Gershon, security research team leader at Checkmarx, an application security company, in Tel Aviv, Israel.
“Just two weeks ago,” he told TechNewsWorld, “we saw the first phishing attack against PyPI contributors, and now we see that this service is taking it a few steps further by making these campaigns accessible to less technical operators and by adding the ability to bypass MFA.”
Checkmarx’s head of supply chain security Tzachi Zorenstain added that the nature of supply chain attacks increases the reach and impact of cyberattacks.
“Abusing the open-source ecosystem represents an easy way for attackers to increase the effectiveness of their attacks,” he told TechNewsWorld. “We believe this is the start of a trend that will increase in the coming months.”
A phishing-as-a-service platform can also boost attacker effectiveness. “Because PhaaS can do things at scale, it enables the adversaries to be more efficient in stealing and spoofing identities,” observed Resecurity CEO Gene Yoo.
“Old fashioned phishing campaigns require money and resources, which can be burdensome for one person,” he told TechNewsWorld. “PhaaS is just quicker, faster, better.”
“This is something that’s very unique,” he added. “Productizing a phishing service at this scale is very rare.”
Alon Nachmany, field CISO at AppViewX, a certificate lifecycle management and network automation company, in New York City, explained that many illegal services, hacking and malicious intent solutions are products.
“By using a PhaaS solutions malicious actors have less overhead and less to set up to spring an attack,” he told TechNewsWorld.
“Quite honestly,” he continued, “I’m surprised it took this long to become a thing. There are many marketplaces where you can buy ransomware software and link it to your wallet. Once deployed, you can collect ransom. The only difference here is that it’s fully hosted for the attacker.”
While phishing is often considered a low effort activity in the world of hacking, it does still requires some work, added Monnia Deng, director of product marketing at Bolster, a provider of automated digital risk protection, in Los Altos, Calif. You would need to do things like stand up a phishing site, craft an email, create an automated manager, and, nowadays, steal 2FA credentials on top of the primary credentials, she explained.
“With PhaaS,” she continued, “everything is packaged nicely on a subscription basis for criminals who do not need to have any hacking or even social engineering experience. It opens the field to many more threat actors who are looking to exploit organizations for their own gain.”
Bad Actors, Great Software
The Resecurity researchers explained payment for EvilProxy is organized manually via an operator on Telegram. Once the funds for the subscription are received, they will deposit to the account in a customer portal hosted on TOR. The kit is available for $400 per month.
The portal of EvilProxy contains multiple tutorials and interactive videos on the use of the service and configuration tips. “Being frank,” the researchers wrote, “the bad actors did a great job in terms of the service usability, and configurability of new campaigns, traffic flows, and data collection.”
“This attack just shows the maturation of the bad actor community,” observed George Gerchow, CSO and senior vice president of IT at Sumo Logic, an analytics company focusing on security, operations, and business information, in Redwood City, Calif.
“They are packing up these kits nicely with detailed documentation and videos to make it easy,” he told TechNewsWorld.
The service uses the “Reverse Proxy” principle, the researchers noted. It works like this: the bad actors lead victims into a phishing page, uses the reverse proxy to fetch all the legitimate content the user expects to see, and sniffs their traffic as it passes through the proxy.
“This attack highlights just how low the barrier to entry is for unsophisticated actors,” said Heather Iannucci, a CTI analyst at Tanium, a maker of an endpoint management and security platform, in Kirkland, Wash.
“With EvilProxy, a proxy server sits in between the legitimate platform’s server and the phishing page, which steals the victim’s session cookie,” she told TechNewsWorld. “This can then be used by the threat actor to login to the legitimate site as the user without MFA.”
“Defending against EvilProxy is a challenge because it combines tricking a victim and MFA bypass,” Yoo added. “Actual compromise is invisible to the victim. Everything looks good, but it’s not.”
Nachmany warned that users should be concerned about the effectiveness of MFA that uses text messages or application tokens. “Phaas is designed to use them, and this is a trend that will grow in our market,” he said.
“The use of certificates as an additional factor is one that I foresee growing in use, soon,” he added.
While users should be attentive when using MFA, it still is an effective mitigation against phishing, maintained Patrick Harr, CEO of SlashNext, a network security company in Pleasanton, Calif.
“It increases the difficulty of leveraging compromised credentials to breach an organization, but it’s not foolproof,” he said. “If a link leads the user to a fake replica of a legitimate site — one that is nearly impossible to recognize as not legitimate — then the user can fall victim to an adversary-in-the-middle attack, like the one used by EvilProxy.”