Security News > 2022 > September > EvilProxy phishing-as-a-service with MFA bypass emerged on the dark web

Resecurity has recently identified a new Phishing-as-a-Service called EvilProxy advertised in the Dark Web.

While the incident with Twilio is solely related to the supply chain, cybersecurity risks obviously lead to attacks against downstream targets, the productized underground service like EvilProxy enables threat actors to attack users with enabled MFA on the largest scale without the need to hack upstream services.

EvilProxy actors are using Reverse Proxy and Cookie Injection methods to bypass 2FA authentication - proxyfying victim's session.

Early occurrences of EvilProxy have been initially identified in connection to attacks against Google and MSFT customers who have MFA enabled on their accounts - either with SMS or Application Token.

The functionality of EvilProxy also supports GitHub and npmjs enabling supply chain attacks via advanced phishing campaigns.

While the sale of EvilProxy requires vetting, cybercriminals now have a cost-effective and scalable solution to perform advanced phishing attacks to compromise consumers of popular online services with enabled MFA. The appearance of such services in Dark Web will lead to a significant increase in ATO/BEC activity and cyberattacks targeting the identity of the end users, where MFA may be easily bypassed with the help of tools like EvilProxy.

News URL

https://www.helpnetsecurity.com/2022/09/06/evilproxy-phishing-as-a-service/