Evilproxy new phishing attack from the Dark Web

Esteban Suárez

A new Phishing-as-a-Service PhaaS toolkit called EvilProxy is announced on the criminal underground as a means for threat actors to bypass two-factor authentication (2FA) protections employed against online services.

“EvilProxy actors are using reverse proxy and cookie injection methods to bypass 2FA authentication, rendering the victim’s session a proxy,” researchers at Resecurity said in an article posted Monday.

The platform generates phishing links that are nothing more than cloned pages designed to compromise user accounts associated with Apple iCloud, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, NPM, PyPI, RubyGems, Twitter, Yahoo and Yandex, among others.

EvilProxy is similar to adversary-in-the-middle ( AiTM ) attacks in that users interact with a malicious proxy server that acts as an intermediary for the target website, covertly collecting the credentials and 2FA access codes entered on the login pages.

It is offered by subscription per service for a period of time of 10, 20 or 31 days, with the kit available for $ 400 per month and is accessed through the [TOR] network (https://es.wikipedia.org/ wiki/Tor_(anonymous_network)) after the payment is manually arranged with an operator on Telegram. Attacks against Google accounts, by contrast, cost up to $600 a month.

“After activation, the operator will be asked to provide SSH credentials to further deploy a Docker container and set of scripts,” Resecurity said, adding that the technique mirrors that of another *PhaaS service. * named [Frappo](https://resecurity.com/blog/article/welcome-frappo-the-new-phishing-as-a-service-used-by-cybercriminals-to-attack-customers-of-major- financial-institutions-and-online-retailers) that came to light earlier this year.

While the sale of EvilProxy to potential customers is subject to background screening by the actors, it goes without saying that the service offers a “cost-effective and scalable solution” to carry out social engineering attacks.

The development is a further indication that sophisticated phishing campaigns targeting users can be orchestrated in a way that can defeat existing security safeguards.

To add to the concerns, the targeting of public code and package repositories such as GitHub, NPM, PyPI, and RubyGems suggests that operators also aim to facilitate supply chain attacks through such operations.

Gaining unauthorized account access and injecting malicious code into projects widely used by trusted developers can be a goldmine for threat actors, significantly amplifying the impact of campaigns.

Actors are very likely to target software developers and IT engineers to gain access to their repositories with the ultimate goal of hacking ‘downstream’ targets," the researchers said.