Security News > 2024 > July > 'LockBit of phishing' EvilProxy used in more than a million attacks every month
Insight The developers of EvilProxy - a phishing kit dubbed the "LockBit of phishing" - have produced guides on using legitimate Cloudflare services to disguise malicious traffic.
"In recent months, Proofpoint has observed a significant increase in EvilProxy campaigns that use Cloudflare services to disguise their traffic, which prevents automated sandbox detection and ensures only targeted human users interact with the phishing links to receive the credential phishing landing pages," Blackford explained.
TA577 - which was a primary QBot malware distributor before the FBI-led disruption effort a year ago - used EvilProxy in phishing campaigns earlier this year, according to Blackford.
TA4903 - better known for business email compromise attacks - has used EvilProxy for credential phishing expeditions in pursuit of email inbox access, business email compromise, and follow-on phishing campaigns.
Before launching a full-on phishing campaign, prospective crooks can also test their messages directly from the EvilProxy web interface.
"There has been a significant uptick in the usage of EvilProxy PhaaS in phishing campaigns currently as it has continued to be the most widely used PhaaS platform along with NakedPages, Greatness and Tycoon 2FA PhaaS solutions," Menlo Security threat researcher Ravisankar Ramprasad told The Register.
News URL
https://go.theregister.com/feed/www.theregister.com/2024/07/30/evilproxy_phishing_kit_analysis/
Related news
- Phishing-as-a-Service "Rockstar 2FA" Targets Microsoft 365 Users with AiTM Attacks (source)
- GenAI makes phishing attacks more believable and cost-effective (source)
- CERT-UA Warns of Phishing Attacks Targeting Ukraine’s Defense and Security Force (source)
- Inside the incident: Uncovering an advanced phishing attack (source)
- Ongoing phishing attack abuses Google Calendar to bypass spam filters (source)