top of page
Search

Threat Actors Using PhaaS Toolkit EvilProxy for Account Takeover Attacks on Executives Worldwide




There's been a recent surge in sophisticated cyber attacks targeted at high-ranking business executives, with the primary tool of choice being a phishing-as-a-service (PhaaS) toolkit known as EvilProxy. This advanced toolkit enables a new generation of threat actors to conduct successful account takeover attacks, bypassing security measures and causing significant disruption.


According to a cybersecurity firm, Proofpoint, a hybrid campaign using EvilProxy has been active in sending upwards of 120,000 phishing emails to hundreds of companies worldwide from March through June 2023. Disturbingly, nearly 39% of the compromised victims were C-suite executives, which includes CFOs (17%) and CEOs (9%), underscoring the severity of this digital threat.


As more and more organizations adopt multi-factor authentication (MFA) - a layer of protection designed to secure user accounts - savvy cybercriminals are responding by evolving their tactics accordingly. They are adopting adversary-in-the-middle (AitM) phishing kits, a more sophisticated solution capable of siphoning off credentials, session cookies, and one-time passwords, thus, bypassing MFA.


Earlier records from Resecurity have shown that EvilProxy was first detected in September 2022. It demonstrated a remarkable ability to compromise user accounts related to many popular online services including Google, Microsoft, Instagram, Dropbox, GoDaddy, and others. The offering of such services goes for about $400 a month and can rise to $600 for Google accounts.


EvilProxy, and PhaaS toolkits like it, are scaling a new frontier in the digital underworld. They present a turnkey solution for budding cybercriminals with limited technical skills to launch sophisticated large-scale phishing campaigns. The toolkits offer customizable elements such as geofencing, proxy detection, and bot detection through an easy-to-use point-and-click interface.


Cyber attackers utilizing these methods start their campaign with emails resembling trusted services like Adobe and DocuSign, guiding unsuspecting recipients down a multi-step redirection process targeted at Microsoft 365 user accounts. They strategically disguise themselves using a reverse proxy, which acts as a lurker, capturing all credentials entered by the unsuspecting victims.


Nonetheless, a peculiar characteristic in these attacks is that user traffic from Turkish IPs gets redirected to legitimate websites – a possible indication that the culprits could be located within the confines of Turkey.


Upon gaining unauthorized access, cybercriminals strengthen their position within the breached company's cloud environment by adding their own MFA method, such as a two-factor authenticator app. This aggressive strategy guarantees them continuous remote access and allows them to distribute malware within the network at ease. They may later use this access to carry out financial fraud, confidential data exfiltration, or even sell the compromised user accounts to other attackers.


Recent analysis has underscored that not even the deployment of MFA can provide absolute security against dynamic, cloud-based threats like EvilProxy.Simultaneously, the scope of the threat extends beyond the professional e-mail. They are also prolific on social media, targeting potential victims through platforms like LinkedIn.In conclusion, it's important for companies to recognize the pervasiveness of these threats. Understanding these threats is the first step towards creating a robust defense strategy against increasingly sophisticated cyber attacks.


At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.


Comments


Commenting has been turned off.
bottom of page