Threat Actors Relying on EvilProxy Phishing Toolkit to Target Organizations

Criminal actors are utilizing a phishing-as-a-service (PhaaS) toolkit known as EvilProxy more and more often to orchestrate account takeover attacks specifically targeting top executives within prominent companies.

Proofpoint reports an ongoing mixed campaign that has employed this service to focus on thousands of Microsoft 365 user accounts, disseminating around 120,000 phishing emails to numerous organizations worldwide between the period of March to June in 2023.

Approximately 39% of the several compromised users are identified as C-level executives, encompassing CEOs (9%) and CFOs (17%). The attacks have also pinpointed individuals who possess access to sensitive information or financial resources. Among all compromised users, at least 35% had extra account security measures in place.

These campaigns are viewed as a reaction to the growing implementation of multi-factor authentication (MFA) within enterprises, prompting threat actors to adapt their strategies to circumvent newly introduced security layers. They have integrated adversary-in-the-middle (AitM) phishing kits into their tactics to extract credentials, session cookies, and one-time passwords.

The enterprise security firm noted that attackers employ advanced automation techniques to swiftly and accurately identify whether a phished user holds a high-profile position, allowing them to instantly access the account. Simultaneously, they disregard less lucrative phished profiles.

EvilProxy was initially documented by Resecurity in September 2022, highlighting its capability to compromise user accounts linked to various platforms such as Apple iCloud, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, NPM, PyPI, RubyGems, Twitter, Yahoo, and Yandex, among others.

This toolkit is available through subscription, with a monthly cost of $400. However, the fee can escalate to $600 for Google accounts.

PhaaS toolkits signify an evolution in the cybercrime landscape, lowering the entry barrier for individuals with limited technical skills to execute intricate phishing attacks on a large scale, seamlessly and cost-effectively.

What Are Phishing Attacks?

Phishing attacks are a type of cyber attack in which attackers use deceptive tactics to trick individuals into revealing sensitive information, such as login credentials, personal details, or financial information. These attacks typically occur through emails, messages, or websites that impersonate legitimate entities, making them appear trustworthy and convincing.

Key characteristics of phishing attacks include:

Deceptive Communication: Phishing attacks often involve emails, text messages, or social media messages that appear to come from legitimate sources, such as banks, social media platforms, government agencies, or well-known companies. Attackers use these impersonated identities to gain the recipient's trust.

Urgency or Fear: Phishing messages often create a sense of urgency or fear to manipulate recipients into taking immediate action. Common tactics include claiming that an account has been compromised, a payment is due, or an urgent update is required.

Links and Attachments: Phishing messages contain links to fake websites or malicious attachments. These links may direct recipients to websites that closely resemble legitimate ones but are designed to steal information or spread malware.

Spoofed Websites: Attackers create fake websites that closely mimic the appearance of legitimate sites to trick users into entering their credentials. These sites often have similar URLs or domain names with slight variations.

Credential Theft: The primary goal of most phishing attacks is to steal login credentials, including usernames and passwords. Attackers then use these credentials to gain unauthorized access to accounts.