EvilProxy – Phishing-As-A-Service Advertise Via Darkweb to Bypass 2FA

Recently, a PaaS (Phishing-as-a-Service) platform called EvilProxy that offers reverse-proxy services has emerged on the market and was identified by the Resecurity security firm.

By exploiting this new emerging service the threat actors can bypass the MFA on the following platforms with the help of stolen authentication tokens:-

EHA
  • Apple
  • Google
  • Facebook
  • Microsoft
  • Twitter
  • GitHub
  • GoDaddy
  • PyPI

Technical Analysis

Online accounts that are well-protected can be accessed by novice threat actors using this service. During reverse proxy attacks, servers are positioned between a legitimate authentication endpoint and the targeted victim.

Reverse proxy servers display the authentic login forms in response to phishing attacks, forward requests, and return responses from the company’s servers when a victim connects to a phishing page.

According to the report, The victim will then be redirected to the actual platform’s server when they enter their credentials and MFA on the phishing page. After logging in, a session cookie is returned and the user is able to access the account. 

In this way, the threat actor gets the ability to log in to the site with the identity of the user by using this authentication cookie. The purpose of this is to bypass the multifactor authentication protections that are configured.

In some cases, actors are using their own custom tools that are tailored to their needs. As for the rest of them, they are using kits that can be deployed much more quickly, such as:-

  • Modlishka
  • Necrobrowser
  • Evilginx2

EvilProxy

In addition to offering a highly user-friendly GUI, EvilProxy also offers a range of features that assist threat actors in setting up and managing phishing campaigns and their detailed techniques.

In order to take advantage of the service, the user will have to pay the following prices for the opportunity to steal usernames, passwords, and session cookies. Here below we have mentioned the price list:-

  • $150: 10 days
  • $250: 20 days
  • $400: Month-long campaign

As for the costs associated with the attacks against Google accounts, they were higher, and here we have listed the price below:-

  • $250
  • $450
  • $600

On various clearnet and dark web hacking forums, the operators are actively promoting this service to potential customers. It is likely that some of the prospective buyers will be rejected by the operators because they vet the clients.

There is an individual payment arrangement for the service on Telegram that must be made in advance. The customer will have access to the TOR hosted portal after making a payment through the payment gateway.

There are several tutorials and interactive videos on the portal of EvilProxy that cover a wide range of topics regarding the setup and use of the EvilProxy service.

By using platforms such as EvilProxy and other similar platforms, low-skilled threat actors are able to steal valuable accounts with a cost-efficient method. This is a good example of bridging the skills gap through services like this.

Download Free SWG – Secure Web Filtering – E-book

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.