AAG Security Advisory - 'EvilProxy'

Multi-factor authentication (MFA) protects user accounts by using a second layer of security to ensure authorised access, usually in the form of a one-time code. Bypassing MFA is notoriously difficult and requires extensive technical knowledge. However, a new Phishing-as-a-Service (PhaaS) attack can circumvent MFA, opening new avenues for cyber criminals to steal data.

PhaaS is a recent development in the cyber threat landscape, enabling widespread distribution of phishing software to threat actors on a subscription basis.

One particularly worrying service is ‘EvilProxy’, which allows cyber criminals to hijack sessions, bypassing MFA to compromise accounts. First appearing in early May 2022, EvilProxy has already been used successfully against users of services like Apple, Microsoft and WordPress.

EvilPoxy highlights the sophistication and danger of modern cyber attacks. Businesses must be made aware of these developments to better inform staff and protect data.

It is likely that EvilProxy was used to divert funds from one of our customers

Cyber criminals successfully phished credentials for an email address of one of our customer’s employees.

With the account compromised, the hackers could monitor incoming and outgoing emails. In early September, they intercepted a legitimate invoice from a new trading partner and changed the account details.

When the target employee received the email, they unwittingly sent money to the wrong account.

How does EvilProxy work?

EvilProxy tricks web browsers into thinking the hacker is an authenticated account user, essentially hijacking the victim’s account session.

Hackers bypass MFA using EvilProxy through a ‘reverse proxy’. This server sits between the phishing site and the service that the victim is trying to connect to, such as Microsoft. The reverse proxy intercepts information sent from the service.

When victims click on a phishing link, they see the expected login page. Once they have entered their details, the credentials and MFA are sent to the service. This service then gives the user a ‘session cookie’, which authenticates the victim by telling the browser they are authorised.

The reverse proxy steals this session cookie, meaning the hacker can authenticate themselves. They don’t need MFA; the session cookie is enough to grant them access to the user account.

The dangers of EvilProxy

MFA is designed to prevent unauthorised access to user accounts. The second method of authentication, usually in the form of a one-time code sent to a linked mobile phone number, ensures that the account remains secure even if initial login credentials are compromised.

EvilProxy threatens security by bypassing this crucial step. By leveraging classic social engineering techniques, hackers can simplify their attack routes and view accounts without alerting the victim.

Another danger of EvilProxy is that it requires little technical knowledge to use. New mass-market PhaaS software allows anyone to set up damaging campaigns. Lowering the technical barrier makes cyber crime accessible to almost anyone with the motive to harm organisations, such as disgruntled employees.

These new avenues of attack mean organisations must be on-guard. Training employees on how to spot phishing attacks is a priority, as conventional cyber security measures are no longer enough to protect networks.

Avoiding EvilProxy

Phishing emails are becoming more difficult to spot. They are no longer generic, grammatically incoherent messages with suspicious links. The latest phishing campaigns use professional language and hide spoof websites behind genuine-looking links.

The most effective defence against EvilProxy is to not click links in emails and to not enter information on web pages that in any way look strange.

You can configure Conditional Access in 365 to only allow domain-joined devices access to 365. Enabling Microsoft InTune device compliance also helps ensure that only authorised devices can access your 365.

Universal 2-factor authentication hardware tokens, like YubiKeys, help ensure MFA cannot be corrupted by interference. Physical devices cannot be stolen through phishing, and are seeing increased use as hackers begin to circumvent other MFA methods.

For more information and tips, visit our phishing awareness page.

The recent Uber hack highlights the continued importance of MFA

While EvilProxy poses a severe threat to MFA, the recent hack of Uber highlights how it is still critical for an effective cyber security system.

On 16th September, Uber’s AWS cloud account and corporate Slack account were breached. Uber released a detailed statement explaining the hacker’s entry route.

The hacker purchased an Uber corporate password used by a contractor whose personal device was infected with malware. The hacker used these credentials to repeatedly log in to the contractor’s Uber account, which triggered MFA approval requests.

Repeated MFA requests eventually wore down the contractor, forcing ‘MFA fatigue’ where they became fed up with receiving notifications. When the contractor eventually accepted a request, the hacker gained access to the account and escalated the attack.

Businesses can mitigate the risk of this type of attack affecting them by using ‘Number Matching’ in their MFA requests. This presents a number to the user when receiving an MFA notification. For more information, read this Microsoft tutorial.

Even though the hacker circumvented it, MFA was still of value; despite the initial login credentials being compromised, the hacker still needed the contractor to accept the MFA approval request before accessing the account.

While cyber attack methods are becoming more sophisticated, organisations should be reassured that security measures like MFA are still important. The primary entry point for an attack is through employees, so business leaders should prioritise staff training on how to spot phishing attempts and set up zero-trust policies to minimise exposure.