A new phishing toolset, called EvilProxy, was spotted by security researchers at Resecurity. In a blog post published on Monday, the professionals warned that EvilProxy attackers are exploiting reverse proxy and cookie injection techniques to circumvent 2FA authentication.
As per what has been revealed, the malicious toolset creates phishing URLs that lead to cloned pages of services like Apple iCloud, Facebook, GoDaddy, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, and Yandex. The purpose of these pages is to mislead users into interacting with a malicious proxy server that serves as a go-between for the target website, and steal passwords and two-factor authentication codes for the user accounts.
Threat actors can get access to the kit through the TOR anonymity network for $400 a month, after prearranging payment with an operator via Telegram. This service is given on a subscription basis for periods of 10, 20, or 31 days.
Resecurity noted that EvilProxy operates similarly to another PhaaS (Phishing-as-a-Service) service, known as Frappo, which was also revealed this year. The researchers explain that, after activation, the operator would be required to submit SSH credentials to further install a Docker container and a set of scripts.
According to the information that has been revealed, it is clear that the service provides a cost-effective and scalable method for conducting social engineering attacks, despite that the threat actors must filter potential clients before selling them EvilProxy.
This new threat also comes as an evidence that cybercriminals are constantly improving their attack capabilities in order to conduct highly complex phishing operations that are tailored to individual users and designed to circumvent conventional security measures.
Concerns have been raised since the operators seem to be seeking to carry out supply chain attacks by targeting publicly accessible code and package repositories, including GitHub, NPM, PyPI, and RubyGems.
One way that threat actors may greatly increase the reach of their attacks is by gaining unauthorized access to accounts and introducing malicious code into widely used projects by trustworthy developers.
According to the researchers, it’s possible the malicious actors attempt to target software developers and IT professionals to obtain access to their repositories, with the final objective to attack “downstream” targets.