A hacking group is getting attention for combining two of the recent attack vectors we have covered on the blog. EvilProxy is in the news for offering Phishing-as-a-Service (Phaas) along with the ability to bypass Multi-Factor Authentication (MFA). We explored Adversary in the Middle (AiTM) attacks just a couple of weeks ago; now, the method is being used for a fee to compromise accounts associated with Apple, Facebook, Google, Microsoft, Twitter, and Instagram.
EvilProxy uses a similar process to the one we described in a previous post. The attack starts with a phishing campaign. When the user clicks the link, they are directed to a page that looks like the Microsoft or Google login page being spoofed. The fake phishing page forwards the credentials to the actual site like Microsoft and Google. This is the first place the attack vector differs from a typical phishing attack. By passing the credentials on to the actual site, the phishing page will determine if the username and password are correct and if the user has MFA enabled for the account. If the username and password check out, the MFA request is transferred back to the user, who answers the security question as they normally would.
The second place these new tactics are different from a typical phishing attack is the capture of cookie data when the MFA request is sent back to the user. This method allows hackers to continue logging into the account without authentication because they captured the login session. This means they can continue to access the email, Facebook page, or Twitter account without triggering an MFA request.
EvilProxy is monetizing the technique for as little as $400 per month. Research also suggests they are targeting software developers and IT engineers to gain access to more services to expand the list of companies they can attack.
Quanexus IT Support Services for Dayton and Cincinnati
Request your free network assessment today. There is no hassle, or obligation.
If you would like more information, contact us here or call 937.885.7272.
Follow us on Facebook, Twitter and LinkedIn and stay up to date on by subscribing to our email list.
