PhaaS, EvilProxy, With MFA Bypass Surfaced In Dark Web

A new Phishing-as-a-Service (PhaaS) dubbed EvilProxy, identified by Resecurity is being advertised in the Dark Web allowing cybercriminals to bypass Two-Factor security. And this revelation is making me nervous:

EvilProxy actors are using Reverse Proxy and Cookie Injection methods to bypass 2FA authentication – proxyfying victim’s session. Previously such methods have been seen in targeted campaigns of APT and cyberespionage groups, however now these methods have been successfully productized in EvilProxy which highlights the significance of growth in attacks against online-services and MFA authorization mechanisms. 

Based on the ongoing investigation surrounding the result of attacks against multiple employees from Fortune 500 companies, Resecurity was able to obtain substantial knowledge about EvilProxy including its structure, modules, functions, and the network infrastructure used to conduct malicious activity. Early occurrences of EvilProxy have been initially identified in connection to attacks against Google and MSFT customers who have MFA enabled on their accounts – either with SMS or Application Token.

Brian Johnson, Chief Security Officer at Armorblox

“As Phishing-as-a-Service schemes take off in the dark web, it becomes easier for attackers to do very sophisticated campaigns to steal credentials, even while mimicking MFA. Reducing exposure to these involves eliminating targeted credential phishing attacks over email with a modern email security solution. It also needs more user awareness training around verifying 2FA notifications that they receive to ensure that it was generated based on an actual login attempt by them”.

Nick Ascoli, VP of Threat Research, PIXM 

Based on what we are seeing in other similar 2-Factor relay attacks, this relay is more sophisticated and fully automated. Seeing these techniques make their way into commodity adversary tooling and marketplaces is going to challenge the security of MFA for virtually all organizations, not just those targeted by the more sophisticated groups and APTs. Without in-browser detection and blocking of this login page, the protection of MFA is in many cases completely nullified.

This is pretty disturbing as MFA is considered to be a great way to protect yourself. As a result of this revelation, businesses may have to rethink how they protect themselves from being pwned as clearly MFA isn’t as good as we thought it was.

Leave a Reply

%d bloggers like this: