Security News > 2024 > July > 'LockBit of phishing' EvilProxy used in more than a million attacks every month

Insight The developers of EvilProxy - a phishing kit dubbed the "LockBit of phishing" - have produced guides on using legitimate Cloudflare services to disguise malicious traffic.

"In recent months, Proofpoint has observed a significant increase in EvilProxy campaigns that use Cloudflare services to disguise their traffic, which prevents automated sandbox detection and ensures only targeted human users interact with the phishing links to receive the credential phishing landing pages," Blackford explained.

TA577 - which was a primary QBot malware distributor before the FBI-led disruption effort a year ago - used EvilProxy in phishing campaigns earlier this year, according to Blackford.

TA4903 - better known for business email compromise attacks - has used EvilProxy for credential phishing expeditions in pursuit of email inbox access, business email compromise, and follow-on phishing campaigns.

Before launching a full-on phishing campaign, prospective crooks can also test their messages directly from the EvilProxy web interface.

"There has been a significant uptick in the usage of EvilProxy PhaaS in phishing campaigns currently as it has continued to be the most widely used PhaaS platform along with NakedPages, Greatness and Tycoon 2FA PhaaS solutions," Menlo Security threat researcher Ravisankar Ramprasad told The Register.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/07/30/evilproxy_phishing_kit_analysis/