Heard yesterday:
‘In your face, cyber-criminals – we have multi-factor authentication (MFA) and you are locked out of our systems.’
Heard today:
‘Er, Boss, an unknown individual has signed into our Microsoft 365 environment and bypassed MFA – and I can’t understand why.’
Cyber security is an arms race. As soon as the good guys find a solid way to repel criminals, the bad guys get to work finding a workaround. Then cyber security invents something new and…
You know the score.
It’s why you stay up to date by reading the Intersys blog every month. And this month we want to keep you ahead of the people in sinister hoodies by telling you about EvilProxy phishing. And, yes, it can bypass MFA, the technique where you use a phone or similar device to confirm your identity.
Here’s the need to know.
What is EvilProxy Phishing?
EvilProxy is a popular type of ‘man-in-the-middle (MitM) phishing’. This is a method where the cyber-criminal acts as a go-between between the user and a real site, harvesting their log-in information along the way.
EvilProxy phishing is advertised online as a ‘phishing as-a-service’ product. It’s basically a monetised version of MitM, in which criminals get their hands on ‘out of the box’ resources to carry out scams.
EvilProxy (and all MitM scams) rely on the use of reverse proxy, a server that sits in front of web servers and forwards requests from clients such as web browsers to those web servers.
Here’s how it works:
1) A criminal sets up a fake domain and a reverse proxy. They send a phishing link to the victim.
2) The victim clicks the link, visits the domain and inputs their log-in details and further authentication, such as MFA.
3) The criminal intercepts the details and then forwards them to the real server.
4) Next, the criminal intercepts the real server’s response, returns it to the victim’s client (their web browser) and, crucially, captures the valid session cookie, which indicates that security checks have been successfully completed.
5) The criminal uses this cookie to gain access to the real domain.
EvilProxy phishing is fast becoming a worryingly popular way to target MFA-protected accounts. Latest research suggests that criminals have targeted 120,000 Microsoft 365 users this way.
But Everyone’s Been Telling Me MFA is the Go-To for Cyber Security
MFA is still a solid bet. But this new threat is a warning sign to never rest on your laurels.
But I’ll Spot This Scam a Mile Off Because the Fake Site’s Spelling and Design Will Be So Bad
These attacks are a form of highly manipulative social engineering, and in this case the manipulation techniques can be hard to spot. The fake login pages EvilProxy generates can look uncannily like genuine login pages. We know of instances where the phishing page looks nearly identical to an Adobe Acrobat signature-required page with actual images of the staff.
We’ve also seen some of these attacks delivered via emails which only include a single image and link to a Bing webpage to further evade email security.
Oh.
Exactly. And this brings us on to something we should all be concerned about: a new level of professionalism among cyber criminals.
Yes, You Mentioned the Words ‘Service’ and ‘Advertised’ Earlier. Has Cyber Crime Gone Mainstream?
The EvilProxy service is advertised quite blatantly on the dark web. It’s relatively user-friendly, offers instructional videos and tutorials, and even has a database of cloned phishing pages of popular online services.
A casual Google search on the regular web also shows that there is growing interest in terms such as ‘evilproxy tutorial’, ‘how to get evilproxy’ and ‘evilproxy download’.
Who’s Using it?
Pretty much any chancer who fancies a go. Where hackers were highly talented coders in the past, now ‘low-skill threat actors’, to use the industry term, can use EvilProxy phishing to launch plausible, highly deceptive and effective phishing campaigns.
The criminal may sell your confidential information, use it to extract money or valuable data, or launch a ransomware campaign. (Find out more about ransomware and prevention.)
So, Everyone’s a Phishing Expert these Days?
If they use the EvilProxy service, pretty much.
Why are We Talking About this Right Now?
EvilProxy phishing first came to light in spring 2022 and it’s been on our radar ever since. We’re flagging it now because we’ve recently observed that more businesses are being targeted by this attack strategy, including a business that subscribes to our SOC service. This was a clear sign to us that EvilProxy phishing is becoming more mainstream.
What Happened?
Our monitoring systems very quickly noticed a suspicious login, from an unusual location. We informed the user immediately and their credentials were reset. There was no harm done and our systems effectively did the necessaries.
Is this the End of Multi-Factor Authentication?
Absolutely not. MFA and passwordless authentication are still highly recommended as ways to lock the criminals out. But this emerging EvilProxy phishing threat does show us that there is no magic fix, or one-size-fits-all solution. Ideally, you’ll be implementing a range of cyber security measures.
Roger that. So, What Should I do to Stop this Specific Threat Happening to My Team?
User education has to come first. No matter how good a cyber security programme you have, you still need to educate colleagues to bolster any defensive measures.
Make sure your people get security awareness training about phishing attacks, including fake login pages. While the criminals are getting better, telltale giveaways, such as a suspicious-looking URL, can help them decode a dodgy interaction.
Phishing simulations are a great way to test your people’s ‘phishing attack readiness.’
After User Education, What’s Next?
Here’s some tips to help prevent EvilProxy phishing from Intersys’ Senior Cyber Security Consultant Jake Ives. If you’re not familiar with some of these terms or concepts, make sure you pass this post on to your security team who will be. Alternatively, ask us for help.
Pre-emptive measures
- Configure a policy in your email gateway system to block access to newly registered domains.
- Use conditional access, to lock down access to countries where the business operates.
- Implement user risk sign-in controls to proactively lock sessions that are observed from suspicious environments. (You’ll need Azure Active Directory Plan 2 license for this.)
- Utilise Microsoft Defender for Endpoint Plan 1 and web filtering capabilities.
Device management
- Use Microsoft Azure Active Directory to implement conditional access to company devices, to help lock them down. Also, use Microsoft Mobile Application Management (MAM) for bring your own (BYOD) devices.
Ongoing Monitoring
- Set up Microsoft Defender for Cloud Apps Monitoring and/or Microsoft Sentinel and a SOC monitoring service.
Intersys is a specialist cyber-security provider that helps businesses, NGOs, schools and universities with all aspects of cyber security services as well as a fully managed SOC-as-a-service. If you’ve been asked to pay a ransom, find out about our services for recovering data stolen in ransomware attacks. To find out more about how we can help you, contact us now.