A phishing-as-a-service offering being sold on the Dark Web uses a tactic that can turn a user session into a proxy to bypass two-factor authentication (2FA), researchers have found.

The service, widely called EvilProxy, uses reverse proxy and cookie-injection methods to give threat actors a way around 2FA "on the largest scale, without the need to hack upstream services," researchers from Resecurity said in a report published Monday. The principle is actually fairly simple, they added: After victims are lured to a phishing page, threat actors use a reverse proxy to fetch all the legitimate content users expect to see — including login pages — and then sniff victims' traffic as it passes through the proxy.

"This way they can harvest valid session cookies and bypass the need to authenticate with usernames, passwords, and/or 2FA tokens," researchers wrote.

At the same time, the approach gives cybercriminals ways to attack developers to facilitate supply chain attacks that affect customers downstream, they said.

In recent attacks, EvilProxy is being used to target consumer accounts belonging to top tech power players such as Apple, Dropbox, Facebook, GoDaddy, Google, Instagram, Microsoft, Twitter, and Yahoo.

EvilProxy: An Evolution

EvilProxy represents an evolution in phishing strategies, according to the report, given that reverse-proxy approaches are most commonly seen in advanced persistent threat (APT) and cyber-espionage activity. Now, the service makes this capability widely available to the cybercriminal marketplace, researchers said.

Some sources refer to the EvilProxy service as "Moloch," which is connected to a previously developed phishing kit that targeted the financial institutions and e-commerce sector, researchers said.

However, EvilProxy has different victims in mind, according to a demonstration video its actors released in May. Google and Microsoft accounts, in particular, appear to be the primary targets of EvilProxy threat actors.

Acquiring the Service

Cybercriminals can buy EvilProxy on a subscription basis based on the online service they plan to target — such as Facebook or LinkedIn — after which it is activated for a specific period of time, depending on the plan description, researchers said. Plan options include 10, 20, or 31 days, according to listings for the service on multiple Dark Web hacker forums, they said.

One of EvilProxy's key actors goes by the handle "John_Malkovich" and acts as an administrator to vet new customers on major underground communities, including XSS, Exploit, and Breached, researchers said.

Cybercriminals can pay for EvilProxy via an operator on Telegram in a manual arrangement that deposits the funds received to an account in a customer portal hosted in TOR. The service also is available on the Dark Web hosted on the TOR network, with a kit available for $400 per month.

The home portal of the EvilProxy service makes it easy for those who purchase it to get on with their phishing campaigns, providing multiple tutorials and interactive videos regarding the use of the service and configuration tips, researchers said.

"Being frank, the bad actors did a great job in terms of the service usability, and configurability of new campaigns, traffic flows, and data collection," they acknowledged.

Once the service is activated, an operator must provide SSH credentials to further deploy a Docker container and a set of scripts that, after successful activation, will forward the traffic from the victims via two gateways defined as "upstream."

As is common in phishing campaigns, attackers register domain names that appear similar in spelling to related online services to mask them for use used in phishing campaigns, researchers noted.

Connections to Recent Supply Chain Cyberattacks

EvilProxy is notable also for its connections to recent threat activity — the first known phishing attack on users of the Python Package Index (PyPI), the official repository for the Python language, and a supply chain attack related to a credential breach at Twilio, researchers said.

Regarding the former, EvilProxy supports attacks against PyPI with the inclusion of a payload called JuiceStealer to the service, researchers said. The info-stealing malware was used in the PyPI phishing attack, and suspiciously added to EvilProxy just before that attack happened, researchers said.

EvilProxy also supports attacks on GitHub and the widely used JavaScript package manager NPJMS. This enables the service to deliver advanced phishing campaigns for supply chain attacks by targeting software developers and IT engineers, who may inadvertently add compromised code to applications and widen the spread of the attack without end users suspecting a thing, researchers said.

Indeed, the Twilio attack was a reminder of what can happen when enterprises are caught unawares, noted one security professional. In that attack, threat actors used phished Okta credentials to gain access to internal systems, applications, and customer data, affecting about 25 downstream organizations that use Twilio's phone verification and other services.

"Too many organizations assume that strong authentication is enough to protect their internal assets and data," Ronen Slavin, co-founder and CTO of Cycode, a software supply chain security solution provider, tells Dark Reading. "As a result of this mindset, most organizations over-credential their developers and expose way too many hard-coded secrets in places like repos, build logs, containers, and more."

With phishing attacks getting more advanced in both their methods to bypass security protections and target developers, enterprises need to be more wary of who within the organization has advanced access to systems, he adds.

"The key learning from this attack is to assume that developer accounts are compromised and that insiders could be malicious," Slavin says.