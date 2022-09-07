Hacking
 

Internet

See all Internet

IT

See all IT

Mobile Tech

See all Mobile Tech

Security

See all Security

Technology

See all Technology

Newsletters

See all Newsletters

EvilProxy Phishing Service Threatens MFA Protection of Accounts

2FA multi-factor authentication

A new phishing-as-a-service offering on the dark web poses a threat to online accounts protected by multi-factor authentication, according to a blog posted Monday by an endpoint security company.

Called EvilProxy, the service allows threat actors to launch phishing campaigns with the ability to bypass MFA at scale without the need to hack upstream services, Resecurity researchers noted in the blog.

The service uses methods favored by APT and cyber espionage groups to compromise accounts protected by MFA. Such attacks have been discovered against Google and Microsoft customers who have MFA enabled on their accounts either via SMS text message or application token, according to the researchers.

Phishing links produced by EvilProxy lead to cloned web pages crafted to compromise accounts associated with a number of services, including Apple iCloud, Facebook, GoDaddy, GitHub, Dropbox, Instagram, NPM, PyPI, RubyGems, Twitter, Yahoo, and Yandex.

It’s highly likely the threat actors using EvilProxy aim to target software developers and IT engineers to gain access to their repositories with the end goal to hack “downstream” targets, the researchers wrote.

They explained that these tactics allow cybercriminals to capitalize on end users who assume they’re downloading software packages from secure resources and don’t expect them to be compromised.

Quicker, Faster, Better

“This incident poses a threat to software supply chains as it targets developers by giving the cybercriminal clients of the service the ability to launch campaigns against GitHub, PyPI, and NPM,” said Aviad Gershon, security research team leader at Checkmarx, an application security company, in Tel Aviv, Israel.

“Just two weeks ago,” he told TechNewsWorld, “we saw the first phishing attack against PyPI contributors, and now we see that this service is taking it a few steps further by making these campaigns accessible to less technical operators and by adding the ability to bypass MFA.”

Checkmarx’s head of supply chain security Tzachi Zorenstain added that the nature of supply chain attacks increases the reach and impact of cyberattacks.

“Abusing the open-source ecosystem represents an easy way for attackers to increase the effectiveness of their attacks,” he told TechNewsWorld. “We believe this is the start of a trend that will increase in the coming months.”

A phishing-as-a-service platform can also boost attacker effectiveness. “Because PhaaS can do things at scale, it enables the adversaries to be more efficient in stealing and spoofing identities,” observed Resecurity CEO Gene Yoo.

“Old fashioned phishing campaigns require money and resources, which can be burdensome for one person,” he told TechNewsWorld. “PhaaS is just quicker, faster, better.”

“This is something that’s very unique,” he added. “Productizing a phishing service at this scale is very rare.”

Nicely Packaged

Alon Nachmany, field CISO at AppViewX, a certificate lifecycle management and network automation company, in New York City, explained that many illegal services, hacking and malicious intent solutions are products.

“By using a PhaaS solutions malicious actors have less overhead and less to set up to spring an attack,” he told TechNewsWorld.

“Quite honestly,” he continued, “I’m surprised it took this long to become a thing. There are many marketplaces where you can buy ransomware software and link it to your wallet. Once deployed, you can collect ransom. The only difference here is that it’s fully hosted for the attacker.”

While phishing is often considered a low effort activity in the world of hacking, it does still requires some work, added Monnia Deng, director of product marketing at Bolster, a provider of automated digital risk protection, in Los Altos, Calif. You would need to do things like stand up a phishing site, craft an email, create an automated manager, and, nowadays, steal 2FA credentials on top of the primary credentials, she explained.

“With PhaaS,” she continued, “everything is packaged nicely on a subscription basis for criminals who do not need to have any hacking or even social engineering experience. It opens the field to many more threat actors who are looking to exploit organizations for their own gain.”

Bad Actors, Great Software

The Resecurity researchers explained payment for EvilProxy is organized manually via an operator on Telegram. Once the funds for the subscription are received, they will deposit to the account in a customer portal hosted on TOR. The kit is available for $400 per month.

The portal of EvilProxy contains multiple tutorials and interactive videos on the use of the service and configuration tips. “Being frank,” the researchers wrote, “the bad actors did a great job in terms of the service usability, and configurability of new campaigns, traffic flows, and data collection.”

“This attack just shows the maturation of the bad actor community,” observed George Gerchow, CSO and senior vice president of IT at Sumo Logic, an analytics company focusing on security, operations, and business information, in Redwood City, Calif.

“They are packing up these kits nicely with detailed documentation and videos to make it easy,” he told TechNewsWorld.

The service uses the “Reverse Proxy” principle, the researchers noted. It works like this: the bad actors lead victims into a phishing page, uses the reverse proxy to fetch all the legitimate content the user expects to see, and sniffs their traffic as it passes through the proxy.

“This attack highlights just how low the barrier to entry is for unsophisticated actors,” said Heather Iannucci, a CTI analyst at Tanium, a maker of an endpoint management and security platform, in Kirkland, Wash.

“With EvilProxy, a proxy server sits in between the legitimate platform’s server and the phishing page, which steals the victim’s session cookie,” she told TechNewsWorld. “This can then be used by the threat actor to login to the legitimate site as the user without MFA.”

“Defending against EvilProxy is a challenge because it combines tricking a victim and MFA bypass,” Yoo added. “Actual compromise is invisible to the victim. Everything looks good, but it’s not.”

Still Effective

Nachmany warned that users should be concerned about the effectiveness of MFA that uses text messages or application tokens. “Phaas is designed to use them, and this is a trend that will grow in our market,” he said.

“The use of certificates as an additional factor is one that I foresee growing in use, soon,” he added.

While users should be attentive when using MFA, it still is an effective mitigation against phishing, maintained Patrick Harr, CEO of SlashNext, a network security company in Pleasanton, Calif.

“It increases the difficulty of leveraging compromised credentials to breach an organization, but it’s not foolproof,” he said. “If a link leads the user to a fake replica of a legitimate site — one that is nearly impossible to recognize as not legitimate — then the user can fall victim to an adversary-in-the-middle attack, like the one used by EvilProxy.”

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Get Permission to License or Reproduce this Article

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
cyberwarfare hacker
Chinese Hackers Deploy Fake News Site To Infect Government, Energy Targets
August 30, 2022
Top Universities Exposing Students, Faculty and Staff to Email Crime
August 3, 2022
cybersecurity
Cybersecurity Pros Preach Constant ID Challenging, Attack Readiness To Defeat Threats
July 19, 2022
Hackers Cast LinkedIn as Most-Popular Phishing Spot
May 16, 2022
More by John P. Mello Jr.
view all
press conference
Tech Whistleblowers Prefer Loud Exit To Quiet Quitting
August 31, 2022
cyberwarfare hacker
Chinese Hackers Deploy Fake News Site To Infect Government, Energy Targets
August 30, 2022
Powerful Personal Computer Gamer Rig with First-Person Shooter Game on Screen.
Cloud Gaming Poised for Takeoff
August 24, 2022
frustrated customer calling customer service
Accent Altering Voice Tech Aims To Replace Frustration With Communication
August 23, 2022
Web3 security
Forrester Report Cautions About Web3 Security
August 17, 2022
Space-Based Adaptive Communications Node
DARPA Moves Forward With Project To Revolutionize Satellite Communication
August 16, 2022
Social media apps Facebook, Pinterest, Instagram Twitter, Quora, Snapchat displayed on a smartphone
A Third of US Social Media Users Creating Fake Accounts
August 10, 2022
Netflix Games
Stat Firm Reports Less Than 1% of Subscribers Playing Netflix Games
August 9, 2022
Top Universities Exposing Students, Faculty and Staff to Email Crime
August 3, 2022
Countries ranked in the 2021 Digital Quality of Life Index
Denmark Tops in Digital Quality of Life, US in Fifth Place
August 2, 2022
More in Hacking
phone fraud hacker
5 Cyber Safety Tips To Survive the Internet, Hackers and Scammers
August 11, 2022
6 Signs Cybercriminals Infected Your Phone and How To Fix It
July 13, 2022
Security Pros Lured to Bug Bounties by Big Pay Days
June 28, 2022
Digital Devices of Corporate Brass Ripe for Hacker Attacks
June 22, 2022
Attacks on Cloud Service Providers Down 25% During First 4 Months of 2022
June 14, 2022
Ransomware Greatest Risk to Supply Chain in Minds of IT Pros
June 8, 2022
New Software Vulnerability Zeroes In on Microsoft Programs
June 1, 2022
Hackers Cast LinkedIn as Most-Popular Phishing Spot
May 16, 2022
Forrester Pegs B2B Fraud, Cyber Insurance Complacency as Top Threats in 2022
April 13, 2022
US Braces for Cyberwarfare Amid Fears of Russian Assault
March 23, 2022

When shopping online for the best price for a product, where to you normally check first?
Loading ... Loading ...

Technewsworld Channels

Applications

Applications

Attacks on Cloud Service Providers Down 25% During First 4 Months of 2022

Canonical Lets Loose Ubuntu 22.04 LTS ‘Jammy Jellyfish’

Low-Code Platforms Help Ease the Shadow IT Adversity Pain

Audio/Video

Audio/Video

Study Finds Sports Is King Among Livestreamers

New Cisco Conferencing Devices Designed To Heal Meeting Fatigue

Amazon Puts High-Tech Spin on Play Dates With Kiddie Video-Calling Device

Chips

Chips

AMD vs. Intel: Suddenly the Desktop PC Is in Play

Electronics Will Cost More in 2023

Apple Shows Off Vast Upgrades to Software, Hardware, User Experiences at WWDC22

Computing

Computing

How Not To Do CX, Lenovo Style

Coding Vulnerabilities, Linux Growth, FOSS Friction Cap Summer Highlights

Security Demands Shifting Business Backups Away From On-Prem Boxes

Cybersecurity

Cybersecurity

EvilProxy Phishing Service Threatens MFA Protection of Accounts

Forrester Report Cautions About Web3 Security

IT Security Pros Push for Consolidated Standards, Vendor Products

Data Management

Data Management

Data Observability’s Big Challenge: Build Trust at Scale

The Business Case for Clean Data and Governance Planning

6 Critical Steps for Scaling Secure Universal Data Authorization

Developers

Developers

Leapwork CEO: No-Code Platforms Democratize Testing Automation

Cognitive Skills for Engineering Success

Apple and Microsoft Developers Conferences Exhibit Companies’ Strengths, Weaknesses

Emerging Tech

Emerging Tech

VR Platforms Deliver Metaverse-Style Experiences to Online Shopping

The Coming Wave of Next-Generation Home Solar Companies

Accent Altering Voice Tech Aims To Replace Frustration With Communication

Exclusives

Exclusives

B2B Funding Firms Banking on Embedded Finance

Unresolved Conflicts Slow eSIM Upgrade Path to Better IoT Security

Cryptocurrency Custody Concerns: Who Holds the Digital Storage Keys?

Gaming

Gaming

Cloud Gaming Poised for Takeoff

Qualcomm and the Mobile Video Game Revolution

Stat Firm Reports Less Than 1% of Subscribers Playing Netflix Games

Hacking

Hacking

Chinese Hackers Deploy Fake News Site To Infect Government, Energy Targets

5 Cyber Safety Tips To Survive the Internet, Hackers and Scammers

Top Universities Exposing Students, Faculty and Staff to Email Crime

Hardware

Hardware

KYY 15.6″ Portable Monitor Packs Value With a Healthy Feature Set

New Linux Laptop Line Advances HP, System76 Open-Source Collaboration

Microsoft’s Innovative 4-Processor PC

Health

Health

Meta Moves To Back Off Removing Covid Misinformation From Platforms

Hack Your Metabolism To Improve Health With the Lumen Smart Device

Amazon Rolls Out Alexa for Senior Living and Healthcare Providers

Home Tech

Home Tech

Home Security Market Thriving Despite Dread of False Alarms

Digital Devices of Corporate Brass Ripe for Hacker Attacks

Home Automation Faces 3 Perpetual Problems

How To

How To

6 Signs Cybercriminals Infected Your Phone and How To Fix It

Start Here When Things Go Wrong on Your Linux System

Computers Use Processes, So Should You

Internet of Things

Internet of Things

Ubuntu Core 22 Release Addresses Challenges of IoT, Edge Computing

Foundries and Arduino Team To Patch IoT Devices

Remote Work Heightens Privacy and Security Anxiety Among Employees

IT Leadership

IT Leadership

Tech Whistleblowers Prefer Loud Exit To Quiet Quitting

Denmark Tops in Digital Quality of Life, US in Fifth Place

Unprotected Machine Identities Newest Enterprise IT Security Concern

Malware

Malware

New Software Vulnerability Zeroes In on Microsoft Programs

Hackers Cast LinkedIn as Most-Popular Phishing Spot

Forrester Pegs B2B Fraud, Cyber Insurance Complacency as Top Threats in 2022

Mobile Apps

Mobile Apps

Kids’ Screen Use Sees Fastest Rise in 4 Years

Sports Betting Platforms Gambling With Substandard CX

Appdome CEO on Mobile App Security: No Developer, No Code, No Problem

Operating Systems

Operating Systems

Titan Linux Beta Brings Simplicity, Finesse to KDE Remake

Linux Security Study Reveals When, How You Patch Matters

New Breeze Theme Gives KDE Neon Release Lots of Sparkle

Privacy

Privacy

PII of Many Fortune 1000 Execs Exposed at Data Broker Sites

US-Led Seizure of RaidForums May Defy Lasting Effect on Security

Atlas VPN Debuts MultiHop+ for Added Layer of Internet Privacy and Security

Reviews

Reviews

InnoView’s 15.6″ 4K Portable Panel Could Be the Ultimate Touchscreen Accessory

Rebuilding Ukraine: 3D Printing and the Metaverse Could Help Create the Cities of Tomorrow

InnoView 15.8″ Portable Display: More Screen Space for Small Devices

Science

Science

DARPA Moves Forward With Project To Revolutionize Satellite Communication

Science, Art Inspire Women in Tech Entrepreneurship

Why Commercial Space Travel Is Unlikely To Scale Up

Search Tech

Search Tech

Microsoft Bing, Yandex Create New Search Protocol

Botify SEO Platform Helps Brands Navigate Organic Search Rankings

Google Cloud Seeks To Cure Retailers’ Search Woes, Help Compete With Amazon

Servers

Servers

Cyber Asset Management Overwhelming IT Security Teams

30 Years of Linux History Told via Distros

Stale Open Source Code Rampant in Commercial Software: Report

Smartphones

Smartphones

What’s in Store for Next-Gen Digital Wallets

Apple Refreshes iPhone SE, iPad Air, Debuts Studio Desktop

Tesla Smartphone Could Be a Game Changer

Social Networking

Social Networking

A Third of US Social Media Users Creating Fake Accounts

Amazon Lawsuit Fingers Facebook Groups Recruiting Fake Reviewers

Big Tech Firms Move To Squash Deceptive Info on Ukraine Crisis

Space

Space

Nvidia Launches Earth 2 and Goes to War Against Climate Change

Kuo Predicts ‘iPhone 13’ Will Support Satellite Calls and Texting

30 Years Later, the Trajectory of Linux Is Star Bound

Spotlight Features

Spotlight Features

Robotic Letter Writing Lends a Hand to Personalized Marketing, CRM

Don’t Become a Fool in the IT Gold Rush

Marketers: Beware Florida’s Mini-TCPA

Tablets

Tablets

Microsoft Finally Has Truly Competitive Alternatives to Apple Products

New iPad Mini Stars at Apple Refresh Event

Chromebook Shipments Jump 75% YoY in Q2

Tech Buzz

Tech Buzz

Musk-Twitter, Qualcomm-Apple, Netflix-Microsoft: Deciphering the Insanity

The World Is Not Yet Ready for Electric Cars

The Importance of the Metaverse Standards Forum

Tech Law

Tech Law

New EU Law Will Force Google, Meta, Others To Expose Algorithms

Pandemic, Compliance Driving Increased Privacy Spending

Report Argues Antitrust Bill Would Hurt Consumers, Stymie Innovation

Transportation

Transportation

Lucid, Nvidia and the Rapidly Changing Future of Electric Cars

Rapid EV Adoption by Low-Income Drivers Needed To Curb Climate Change: Report

BlackBerry and Preparing for the Software-Defined Automobile

Virtual Reality

Virtual Reality

Nvidia and Disney Can Breathe Life Into the Metaverse

The Metaverse Future: Are You Ready To Become a God?

New Recipe for Marketing Success: Blend Digital and CX, Mix Well With AI

Wearable Tech

Wearable Tech

Apple MR Specs Will Shun Metaverse: Report

Apple Wearables Holiday Sales Knock It Out of the Park

5 Terrific Tech Gift Ideas for Your Holiday Shopping List

Women In Tech

Women In Tech

Cybercriminals Employing Specialists To Maximize Ill-Gotten Gains

Encouraging Research Finds Brain Adjusts to ‘Third Thumb’

E-Commerce Tending to Health and Wellness Needs

More from ECT News Network

E-commerce Times

5 Ways To Sustain an E-Commerce Business in a Recession
5 Ways To Sustain an E-Commerce Business in a Recession
September 6, 2022
VR Platforms Deliver Metaverse-Style Experiences to Online Shopping
VR Platforms Deliver Metaverse-Style Experiences to Online Shopping
September 2, 2022
Tips for Consumers and Merchants To Evade Online Fraud
Tips for Consumers and Merchants To Evade Online Fraud
August 29, 2022

LinuxInsider

License Change May Spark New Pricing Trend for Open-Source Projects
License Change May Spark New Pricing Trend for Open-Source Projects
September 7, 2022
Coding Vulnerabilities, Linux Growth, FOSS Friction Cap Summer Highlights
Coding Vulnerabilities, Linux Growth, FOSS Friction Cap Summer Highlights
August 23, 2022
New MakuluLinux Brings 'Shifting' Innovations to Desktop Design
New MakuluLinux Brings 'Shifting' Innovations to Desktop Design
August 8, 2022

CRM Buyer

The Salesforce Way
The Salesforce Way
September 1, 2022
Oracle Is Signaling
Oracle Is Signaling
August 24, 2022
Robotic Letter Writing Lends a Hand to Personalized Marketing, CRM
Robotic Letter Writing Lends a Hand to Personalized Marketing, CRM
August 18, 2022