Cybercriminals Increasingly Using EvilProxy Phishing Kit to Target Executives
Threat actors are increasingly using a phishing-as-a-service (PhaaS) toolkit dubbed EvilProxy to pull off account takeover attacks aimed at high-ranking executives at prominent companies.
According to Proofpoint, an ongoing hybrid campaign has leveraged the service to target thousands of Microsoft 365 user accounts, sending approximately 120,000 phishing emails to hundreds of organizations worldwide between March and June 2023.
Nearly 39% of the hundreds of compromised users are said to be C-level executives, including CEOs (9%) and CFOs (17%). The attacks have also singled out personnel with access to financial assets or sensitive information. At least 35% of all compromised users had additional account protections enabled.
The campaigns are seen as a response to the increased adoption of multi-factor authentication (MFA) in enterprises, prompting threat actors to evolve their tactics to bypass new security layers by incorporating adversary-in-the-middle (AitM) phishing kits to siphon credentials, session cookies, and one-time passwords.
"Attackers use new advanced automation to accurately determine in real-time whether a phished user is a high-level profile, and immediately obtain access to the account, while ignoring less lucrative phished profiles," the enterprise security firm said.
EvilProxy was first documented by Resecurity in September 2022, detailing its ability to compromise user accounts associated with Apple iCloud, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, NPM, PyPI, RubyGems, Twitter, Yahoo, and Yandex, among others.
It's sold as a subscription for $400 a month, a figure that can climb up to $600 for Google accounts.
PhaaS toolkits are an evolution of the cybercrime economy, lowering the barrier for criminals with lower technical skills to carry out sophisticated phishing attacks at scale in a seamless and cost-effective manner.
"Nowadays, all an attacker needs is to set up a campaign using a point-and-click interface with customizable options, such as bot detection, proxy detection, and geofencing," security researchers Shachar Gritzman, Moshe Avraham, Tim Kromphardt, Jake Gionet, and Eilon Bendet said.
"This relatively simple and low-cost interface has opened a floodgate of successful MFA phishing activity."
The latest wave of attacks commences with phishing emails that masquerade as trusted services like Adobe and DocuSign to trick recipients into clicking on malicious URLs that activate a multi-stage redirection chain to take them to a lookalike Microsoft 365 login page, which functions as a reverse proxy to stealthily capture the information entered in the form.
But in a curious twist, the attacks deliberately skip user traffic originating from Turkish IP addresses by redirecting them to legitimate websites, indicating that the campaign operators could be based out of the country.
A successful account takeover is followed by the threat actor taking steps to "cement their foothold" in the organization's cloud environment by adding their own MFA method, such as a two-factor authenticator app, so as to obtain persistent remote access and conduct lateral movement and malware proliferation.
The access is further monetized to either conduct financial fraud, exfiltrate confidential data, or sell the compromised user accounts to other attackers.
"Reverse proxy threats (and EvilProxy in particular) are a potent threat in today's dynamic landscape and are outcompeting the less capable phish kits of the past," the researchers said, pointing out that "not even MFA is a silver bullet against sophisticated cloud-based threats."
"Although these attacks' initial threat vector is email-based, their final goal is to compromise and exploit valuable cloud user accounts, assets, and data."
The development comes as Imperva revealed details of an ongoing Russian-origin phishing campaign that aims to deceive potential targets and steal their credit card and bank information since at least May 2022 via booby-trapped links shared via WhatsApp messages.
The activity spans 800 different scam domains, impersonating more than 340 companies across 48 languages. This comprises well-known banks, postal services, package delivery services, social media, and e-commerce sites.
"By leveraging a high-quality, single-page application, the scammers were able to dynamically create a convincing website that impersonated a legitimate site, fooling users into a false sense of security," Imperva said.
In yet another variation of a social engineering attack identified by eSentire, malicious actors have been observed contacting marketing professionals on LinkedIn in an attempt to distribute a .NET-based loader malware codenamed HawkEyes that, in turn, is used to launch Ducktail, an information stealer with a particular focus on gathering Facebook Business account information.
"Ducktail is known to target Facebook Ad and Business accounts," eSentire researchers said. "Operators will use stolen login data to add email addresses to Facebook Business accounts. When emails are added, a registration link is generated by which the threat actor can grant themselves access."