A recent phishing attack called EvilProxy has targeted the popular job search platform Indeed, with a particular focus on executives in various industries. The cybersecurity research team, Menlo Labs, discovered this attack and revealed its details in an advisory published on Tuesday. The campaign began in July and lasted until August 2023, showcasing a sophisticated approach to phishing.
EvilProxy, the phishing kit used in this attack, functions as a reverse proxy, enabling it to intercept requests between users and legitimate websites. What makes this attack even more concerning is EvilProxy’s ability to harvest session cookies, allowing it to bypass multi-factor authentication (MFA). This means that even users who have implemented additional layers of security can still fall victim to this attack.
The primary targets of this malicious campaign were organizations based in the United States, with a particular emphasis on executives, especially those in the C-suite. The sectors that were most affected included banking and financial services, insurance providers, property management and real estate, and manufacturing. The attackers exploited an open redirection vulnerability on Indeed.com to trick users into believing they were accessing trusted sources.
The attack vector used by the perpetrators involved phishing emails containing deceptive links. Once the victims clicked on these links, they were redirected to fake Microsoft Online login pages. The research conducted by Menlo Labs involved analyzing data from URLScan, Phishtank, and VirusTotal feeds to gain insight into the extent of this attack.
The existence of open redirection vulnerabilities poses a severe threat to users. Such vulnerabilities make it easy for attackers to deceive users into thinking they are accessing legitimate websites when, in reality, they are being directed to phishing pages. EvilProxy played a crucial role in this attack by acting as a reverse proxy and allowing threat actors to steal session cookies and bypass MFA.
In response to these findings, Menlo Labs suggests several protective measures that organizations can take to mitigate the risk of EvilProxy phishing attacks. These include user education, where employees are trained to recognize phishing threats, and implementing phishing-resistant Multi-Factor Authentication (MFA) solutions, such as FIDO-based authentication. Additionally, it is essential to verify the legitimacy of target URLs instead of assuming their safety and deploy real-time protection solutions to guard against zero-hour phishing attacks.
Menlo Labs also took responsible action by disclosing the open redirect vulnerability to Indeed.com. By doing so, they emphasized the severe implications of this threat and helped facilitate prompt mitigation.
Phishing attacks like EvilProxy continue to pose a significant risk to organizations and individuals alike. It is crucial for individuals to remain vigilant and follow best practices to protect themselves from falling victim to these attacks. Furthermore, organizations must invest in robust cybersecurity measures and continuously educate their employees to minimize the impact of such threats.