A new hacking tool can supposedly beat any security protections set up to prevent cyberattacks, and gain access to some of the world’s most popular websites, reports TechRadar.
The operator behind the EvilProxy tool says it is able to steal the authentication tokens needed to bypass the multi-factor authentication (MFA) systems used by the likes of Apple, Google, Facebook, Microsoft, and Twitter.
The service is particularly concerning as it promises to make such attacks available to all hackers, even those who may not have the precise skills or knowledge needed to attack such prominent targets.
The tool was discovered by security firm Resecurity (opens in new tab), which notes that EvilProxy (also known as Moloch) is a reverse-proxy Phishing-as-a-Service (PaaS) platform being advertised on the dark web.
It offers to steal usernames, passwords, and session cookies, for a cost of $150 for ten days, $250 for 20 days, or $400 for a month-long campaign – although attacks against Google attacks will cost more, coming in at $250, $450 and $600 respectively.
Reverse proxies typically sit between a website and some form of online authentication endpoint such as a login page. EvilProxy tricks its victims using phishing lures, taking them to a legitimate page where they are asked to enter login credentials and MFA information. This data is then sent to the intended, legitimate website, logging them in, and also generating a session cookie containing an authentication token, which is sent to the victim.
However, this cookie and the authentication token can then be stolen by the reverse proxy, which, as noted, is located in between the user and the legitimate website. The attackers can then use this token in order to log in to the site masquerading as their victim, bypassing the need to re-enter information on the MFA process.
Library of existing cloned phishing pages
Resecurity notes that aside from the cleverness of the attack itself, which is simpler to deploy than other man-in-the-middle (MITM) attacks, what also sets EvilProxy apart is its user-friendly approach. After purchasing, customers are given detailed instructional videos and tutorials on how to use the tool, which boasts a clear and open graphical interface where users can set up and manage their phishing campaigns.
It also offers a library of existing cloned phishing pages for popular internet services, which along with the names mentioned above, include the likes of GoDaddy, GitHub, Dropbox, Instagram, Yahoo and Yandex.
“While the sale of EvilProxy requires vetting, cybercriminals now have a cost-effective and scalable solution to perform advanced phishing attacks to compromise consumers of popular online services with enabled MFA,” Resecurity noted.
“The appearance of such services in the dark web will lead to a significant increase in ATO/BEC activity and cyberattacks targeting the identity of the end users, where MFA may be easily bypassed with the help of tools like EvilProxy.”
Did you subscribe to our daily Newsletter?
It’s Free! Click here to Subscribe