The use of phishing kits as a service has made it easier for cybercriminals to launch sophisticated phishing campaigns, as demonstrated by the latest findings from cybersecurity firm Proofpoint. In a recent investigation, researchers discovered a phishing page that mimicked a Microsoft 365 login page. This page was created using EvilProxy, a phishing service that provides users with a user-friendly interface to manage their campaigns.
EvilProxy functions as a reverse proxy, positioning itself between the user and the real login page. It relays requests and responses between the two parties, giving the attacker full visibility into the victim’s interactions. This means that the attacker can collect valuable information, including login credentials and Multi-Factor Authentication (MFA) codes. EvilProxy boasts the capability to bypass MFA on popular websites such as Apple, Gmail, Facebook, Microsoft, Twitter, GitHub, and GoDaddy.
Phishing kits like EvilProxy have gained popularity in recent years as they allow even low-skilled cybercriminals to launch powerful phishing attacks. The user-friendly interface and low cost make it accessible to a wide range of threat actors. According to Proofpoint researchers, this simplicity and affordability have resulted in an influx of successful MFA phishing campaigns.
Interestingly, the attackers behind the campaign identified by Proofpoint demonstrated a keen interest in high-value targets. They prioritized accessing the accounts of VIPs, gaining entry within seconds of compromising their credentials. On the other hand, less interesting accounts, even if they fell victim to the phishing attack, were left untouched.
To maintain persistent access to high-value accounts, the attackers leveraged a Microsoft 365 application called My Sign-Ins. This application allows users to manage their organizations and devices and view their authentication sessions. Crucially, it also permits users to change their account security settings, including MFA methods.
The attackers added their own authentication app, which generated time-based one-time passwords (TOTP codes), alongside the user’s Microsoft Authenticator app. By doing so, they ensured that they could gain access to the account later if the victim did not change their password.
The researchers at Proofpoint noted that these attackers invested significant effort in understanding their target organizations’ culture, hierarchy, and processes. This allowed them to launch effective, tailored attacks that yielded high success rates. Once they had access to compromised accounts, the attackers monetized their illicit access. They engaged in activities such as financial fraud, data exfiltration, and even hacking-as-a-service (HaaS) transactions, where they sold access to compromised user accounts.
The increasing availability and accessibility of phishing kits as a service pose a significant threat to organizations and individuals alike. As cybercriminals with limited technical skills gain access to sophisticated tools, the potential for successful phishing attacks grows. It is crucial for individuals to remain vigilant and exercise caution when interacting with online platforms. Additionally, organizations need to implement robust security measures to protect their networks and educate their employees about the dangers of phishing attacks. Only through collective effort and proactive defense can we mitigate the risks posed by this evolving cyber threat landscape.