A new phishing-as-a-service offering on the dark web poses a threat to online accounts protected by multi-factor authentication, according to a blog posted Monday by an endpoint security firm.
Called EvilProxy, the service allows threat actors to launch phishing campaigns with the ability to circumvent MFA at scale without having to hack into upstream services, Resecurity researchers noted in the blog post.
The service uses methods favored by APT and cyber espionage groups to compromise MFA-protected accounts. According to the researchers, such attacks have been discovered against Google and Microsoft customers who have enabled MFA on their accounts, either via SMS or app token.
Phishing links produced by EvilProxy lead to cloned web pages designed to compromise accounts associated with a number of services, including Apple iCloud, Facebook, GoDaddy, GitHub, Dropbox, Instagram, NPM, PyPI, RubyGems, Twitter, Yahoo and yandex.
It is highly likely that threat actors using EvilProxy aim to target software developers and computer engineers to gain access to their repositories with the end goal of hacking “downstream” targets, the researchers wrote.
They explained that these tactics allow cybercriminals to capitalize on end users who assume they are downloading software packages from secure resources and do not expect them to be compromised.
Faster, faster, better
“This incident poses a threat to software supply chains as it targets developers by giving the service’s cybercriminal customers the ability to launch campaigns against GitHub, PyPI and NPM,” said Aviad Gershon, research team leader safe at Checkmarx, an application security. company, in Tel-Aviv, Israel.
“Just two weeks ago,” he told TechNewsWorld, “we saw the first phishing attack against PyPI contributors, and now we see this service going even further in making those campaigns accessible. to less technical operators and adding the ability to bypass multi-factor authentication.
Checkmarx Supply Chain Security Manager Tzachi Zorenstain added that the nature of supply chain attacks increases the scope and impact of cyberattacks.
“Abuse of the open source ecosystem represents an easy way for attackers to increase the effectiveness of their attacks,” he told TechNewsWorld. “We believe this is the start of a trend that will intensify in the coming months.”
A phishing platform as a service can also increase the effectiveness of attackers. “Because PhaaS can do things at scale, it allows adversaries to be more effective at stealing and impersonating identities,” observed Gene Yoo, CEO of Resecurity.
“Old-fashioned phishing campaigns require money and resources, which can be painful for a person,” he told TechNewsWorld. “PhaaS is just faster, faster, better.”
“It’s something very unique,” he added. “Producing a phishing service on this scale is very rare.”
Alon Nachmany, field CISO at AppViewX, a certificate lifecycle management and network automation company, in New York City, explained that many illegal services, hacks, and malicious intent solutions are products.
“By using a PhaaS solution, malicious actors have less overhead and less to set up to launch an attack,” he told TechNewsWorld.
“Honestly,” he continued, “I’m surprised it’s taken this long to become a thing. There are plenty of marketplaces where you can buy ransomware and tie it to your wallet. Once deployed, you may collect a ransom, the only difference here is that it is fully hosted for the attacker.
Although phishing is often seen as a low-effort activity in the hacking world, it still requires work, added Monnia Deng, director of product marketing at Bolster, an automated digital risk protection provider, to Los Altos, California. to do things like set up a phishing site, create an email, create an automated handler, and nowadays steal 2FA credentials in addition to primary credentials, she said. Explain.
“With PhaaS,” she continued, “everything is nicely packaged on a subscription basis for criminals who don’t need to have experience in hacking or even social engineering. It opens up the field to many other threat actors who seek to exploit organizations for their own gain.
Bad actors, great software
Resecurity researchers explained that payment for EvilProxy is arranged manually through an operator on Telegram. Once the subscription funds are received, they will be deposited into a customer portal account hosted on TOR. The kit is available for $400 per month.
EvilProxy’s portal contains multiple tutorials and interactive videos on using the service and configuration tips. “To be frank,” the researchers wrote, “the bad actors did a great job in terms of service usability and configurability of new campaigns, traffic flows, and data collection.”
“This attack just shows the maturation of the malicious actor community,” observed George Gerchow, CSO and senior vice president of IT at Sumo Logic, an analytics firm specializing in security, operations and business intelligence. , in Redwood City, California.
“They package these kits well with detailed documentation and videos to make things easier,” he told TechNewsWorld.
The service uses the principle of “Reverse Proxy”, note the researchers. It works like this: bad actors direct victims to a phishing page, use the reverse proxy to fetch all the legitimate content the user expects to see, and sniff their traffic as it passes through the proxy.
“This attack highlights just how low the barrier to entry is for unsophisticated players,” Heather Iannucci, CTI analyst at Tanium, maker of an endpoint management and security platform, told Kirkland, Washington.
“With EvilProxy, a proxy server sits between the legitimate platform’s server and the phishing page, which steals the victim’s session cookie,” she told TechNewsWorld. “This can then be used by the threat actor to log into the legitimate site as a non-MFA user.”
“Defending against EvilProxy is a challenge because it combines tricking a victim and bypassing MFA,” Yoo added. “The real compromise is invisible to the victim. Everything looks good, but it’s not.
Nachmany warned that users should be concerned about the effectiveness of MFA that uses text messages or app tokens. “Phaas is built to use them, and that’s a trend that’s going to grow in our market,” he said.
“Using certificates as an additional factor is one that I expect to be used more and more, soon,” he added.
Although users should be careful when using MFA, it’s still an effective mitigation against phishing, said Patrick Harr, CEO of SlashNext, a network security company in Pleasanton, Calif.
“It increases the difficulty of exploiting compromised credentials to breach an organization, but it’s not foolproof,” he said. “If a link leads the user to a fake replica of a legitimate site – a site that is almost impossible to recognize as not legitimate – then the user may be the victim of an adversary attack in the middle, such as the one used by EvilProxy.”