Insight The developers of EvilProxy, a phishing kit nicknamed the “LockBit of phishing,” have created a guide for using the legitimate Cloudflare service to disguise malicious traffic, adding to a growing arsenal of tools that criminals with no real technical expertise have to get into the digital theft business.
EvilProxy is a reverse proxy phishing kit sold on dark web marketplaces, nicknamed “Phishing as a Service” (PhaaS). The tool has been helping criminals launch attacks since at least mid-2022, reports Resecurity, who was one of the first threat hunters to discover the phishing kit sold by EvilProxy on dark web marketplaces. Warning Toolkit presence.
Daniel Blackford, director of threat research for the email security industry, said Proofpoint sees about 1 million EvilProxy threats each month.
“The EvilProxy service makes it extremely easy to sign up for the service and set up a phishing campaign,” Blackford said. Registry.
Those who run EvilProxy provide a Telegram channel where they publish customer support information, YouTube videos on how to use the service, and other guides on how users can launch attacks and disguise criminal activity.
“In recent months, Proofpoint has seen a significant increase in EvilProxy campaigns using Cloudflare services to disguise traffic, thwarting automated sandbox detection and ensuring that only targeted human users visit the phishing link and receive the credential phishing landing page,” Blackford explains. “The use of Cloudflare filtering is one of the guidelines provided by EvilProxy.”
Last Northern Hemisphere summer, Proofpoint warned about an ongoing campaign using EvilProxy to send approximately 120,000 fraudulent emails to “hundreds” of organizations around the world between March and June 2023. The messages were targeted at C-Suite executives, whose stolen credentials could potentially gain access to more lucrative targets.
Anatomy of an attack
Here’s how these attacks work:
The attacks start with phishing emails that appear to be from trusted services like Cloudflare, Adobe, DocuSign, etc. These messages contain links that redirect users to legitimate websites like YouTube or SlickDeals. During this step, the attackers encode the username in the URL.
The user is then sent to several other websites, again to hide the traffic and make malicious activity harder to detect. These sites include attacker-controlled redirection sites, which may include hijacked legitimate websites stuffed with PHP code that allows the attackers to decrypt the user’s emails.
Eventually, the user is redirected to the real phishing website that mimics the victim organization’s Microsoft login page. This is deployed using the EvilProxy phishing framework that is capable of dynamically fetching content from the real login site and acts as a reverse proxy to send the victim to the real website. This allows the criminals to intercept server requests and responses, enabling a man-in-the-middle attack scenario.
An attacker can steal session cookies and MFA tokens to sign in to legitimate Microsoft accounts.
TA4903 and TA577 join the fishing expedition
“While most EvilProxy campaigns have not been attributed to tracked threat actors, Proofpoint has recently observed at least two notable threat actors employing the use of EvilProxy: TA4903 and TA577,” Blackford wrote.
According to Blackford, TA577, which was the primary distributor of the QBot malware prior to the FBI-led disruption effort a year ago, used EvilProxy in a phishing campaign earlier this year, which he called “remarkable” since this particular threat group typically conducts malware campaigns.
Similarly, TA4903 Well known for their Business Email Compromise (BEC) attacks, this organization has used EvilProxy for credential phishing attacks to gain access to email inboxes, Business Email Compromise (BEC), and subsequent phishing campaigns.
In fact, a Proofpoint report found that 73% of organizations experienced a BEC attack after a successful phishing attempt in 2023. And 32% of these phishing emails led to a subsequent ransomware infection.
Menlo Security last summer It’s been found The attacks using EvilProxy were carried out between July and August 2023 and primarily targeted senior executives at banking and financial services companies, insurance companies, manufacturers, property management companies, and real estate companies.
Since then, the criminals behind EvilProxy have improved their phishing service with better bot detection and a new Bot Guard feature. The malicious software’s developers also allowed users to add their own bots and Telegram chats or groups. Before launching a full-scale phishing campaign, potential criminals can also test their messages directly through EvilProxy’s web interface.
“We are currently seeing a significant increase in the use of EvilProxy PhaaS in phishing campaigns and it continues to be the most widely used PhaaS platform, along with NakedPages, Greatness and Tycoon 2FA PhaaS solutions,” said Ravisankar Ramprasad, threat researcher at Menlo Security. Registry.
“Over the past seven days, we have observed an active campaign in which adversaries are leveraging www.scienceopen, a popular site for accessing scientific research and journals.[.]com” to redirect victims to fake phishing pages. They added that new subdomains seen across the campaigns are “0nline,” “l1ve,” “0ffice,” “rfp,” and “rfq,” while older subdomains such as “lmo” continue to be seen.
According to Proofpoint and Menlo, the rise of EvilProxy and similar phishing kits indicates that network defenders need to use phishing-resistant MFA, such as FIDO-based physical security keys, as well as cloud security tools that detect initial account compromise and post-compromise activity.
Additionally, user awareness and ongoing employee training are always important to protect against phishing and other threats.®