EvilProxy Phishing Toolkit Spotted on Dark Web Forums
EvilProxy, a new phishing-as-a-service has been identified for sale on dark web forums. The phishing tool is also known as Moloch. Security researchers at Resecurity were the first to identify the malicious tool for sale online. EvilProxy threat actors are reportedly using reverse proxy and cookie injection methods to effectively bypass two factor authentication, according to an advisory published by Resecurity. The advisory warns that similar methods have been observed in targeted campaigns of advanced persistent threat actors and cyber espionage groups in the past.
This time, the same methods have been productized in the EvilProxy tool. This could mean that threat actors are increasingly interested in breaching multi-factor authentication authorization mechanisms. Based on an ongoing investigation into attacks against employees of Fortune 500 companies, Resecurity was able to obtain information about the tool including its structure, modules, functions, and network. Early instances of attacks leveraging EvilProxy were connected to attacks against customers of MSFT and Google who are using MFA on their accounts, either by SMS or authorization tokens. The malware was first identified in May 2022 and could be used to compromise user accounts on Apple, Twitter, Facebook, Google, Instagram, Microsoft, and other platforms.