EvilProxy: A tool that automates hacking for Sunday hackers –

Phishing, or “hameçonnage” in French, is one of the main methods used by hackers to steal data. It is based on fake websites or emails that mimic a well-known brand, service, or target contact. These emails and web pages are often easy to spot, but sometimes they are so well designed that they can be fooled; until you provide your IDs, personal information, or click on a broken link.

Phishing is not for everyone, as it requires strong technical skills in the era of two-factor authentication. This security measure of verifying identity by means other than a password in a second step (often via SMS) has indeed made it much more difficult for hackers over the past 10 years. But tools are starting to appear on the dark web that can make their job easier and open the door to phishing for complete neophytes.

As cybersecurity researchers at Resecurity have discovered, tools can bypass two-factor authentication (2FA) of online services almost “automatically.” They are multiplying and available to all hackers, even the least competent, by subscription at bargain prices. This is a case of the “EvilProxy” service, which stands out on the main darknet hacker forums (more specifically, on the part accessible via Tor).

How does EvilProxy work?

EvilProxy uses a “reverse proxy” method to steal authentication tokens. 2FA tokens that allow you to bypass two-factor authentication on Apple, Google, Facebook, Twitter, Microsoft, Github, Dropbox, Yandex, GoDaddy… or even PyPi, the official Python software repository, which has recently been the target of phishing attacks (aimed at developers) through another automated tool called “JuiceLedger”.

This is done in order to lure the user to a fake connection site. This site is connected to a server, which is itself connected in parallel to the “real” site of the real service (Google, Twitter, etc.). Knowing that the compromised web page displays a “legitimate” form for connecting to an official service, the pirate proxy thus acts as a “passenger hatch”. It passes the username and password entered by the victim to the real service and waits until this service asks the user to enter a one-time code (via SMS or through a notification in a mobile application). It then waits for the latter to enter their ephemeral code on the fake page. This code is passed to the actual platform server, which returns a session cookie.

Since the reverse proxy is located “in the middle”, between the real site and the Internet user, it can steal this session cookie, which contains the authentication token. The hacker is finally able to connect to the official site instead of the user. “A reverse proxy can get all the legitimate content a user expects, including login pages. It intercepts traffic as it passes through the proxy. In this way, it is possible to collect valid session cookies and bypass the need for authentication using usernames, passwords, and/or 2FA tokens,” sums up Resecurity.

However, the configuration of a reverse proxy is very complex and therefore (a priori) intended for experienced hackers, often in the service of the mafia or government organizations. But with a tool like EvilProxy, nothing is easier. The tool contains a phishing “kit” (apparently developed by hackers responsible for attacks on banks and e-commerce sites) that allows its user, even an inexperienced one, to attack their target without the need to hack upstream services.

According to Resecurity, EvilProxy is a true all-in-one, Phishing as a Service (PaaS) service that allows you to “phish” someone with a few clicks or almost. All you have to do is select the type of account you want to attack (Google, Microsoft, Facebook, Twitter, etc.), select the duration of the desired phishing “campaign” and run the tool. This one takes care of everything: it sets up the attack infrastructure and creates fake login pages. Cherry on the cake: EvilProxy subscription paid via Telegram is reduced: $150 for 10 days, $250 for 20 days, and $400 for 31 days.

The particularly sophisticated EvilProxy uses various techniques to “protect the phishing kit code” from detection by virtual machines used by cybersecurity professionals. “Like fraud prevention and cyber threat intelligence (CTI) solutions, it collects data about known VPN services, proxy servers, TOR exit nodes, and other hosts that can be used to analyze the IP reputation of potential victims,” says Resecurity. CTI tool detected, EvilProxy drops connection.

A tool that makes phishing too easy

The reverse proxy method is not new. But so far it has been mostly a pre-square of groups of experienced hackers using their own tools or not-so-available sets like Modlishka, Necrobrowser and Evilginx2). Now EvilProxy (and other similar tools available on the dark web) are democratizing this formidable 2FA technique with ease of use.

Easy to install, the service goes as far as offering video tutorials and tutorials with “a user-friendly graphical interface and a large collection of cloned phishing sites featuring images of well-known platforms,” ​​describes Resecurity. According to the researchers, “although EvilProxy is not free, cybercriminals now have a cost-effective and scalable solution for carrying out advanced phishing attacks aimed at compromising users of popular online services where multi-factor authentication is enabled.”

At first glance, it’s easy to think that random hackers who might use such a service would cause little damage anyway. It will never be just novice hackers. “Script kids” who are already using scripts and programs developed by others; to carry out DDOS attacks or create fake phishing sites. Their poor knowledge of malware creation and advanced hacking thus limits them to social engineering and the creation of fraudulent websites (or emails) (learning HTML is less difficult), the quality of which leaves much to be desired. In addition, they often make mistakes (beginners) and leave so many traces behind them that they are easy to spot. As such, their attack range remains (at least for now) very limited.

But with a tool like EvilProxy that makes it easy to bypass 2FA and, above all, without leaving a trace, these novice hackers could very well prove to be just as formidable as “confirmed” hackers.

What to do then? Of course, there are strong authentication methods that make EvilProxy inoperable, such as the FIDO protocol, in which the authenticity of a website is systematically verified before the 2FA token is sent. But at the moment, few online services use this technology. Pending the generalization of the FIDO protocol, we users must remain vigilant by manually and constantly verifying the identity of the site we connect to. Or, even better, by entering the site address in the browser yourself, and not following the link … and checking the spelling of this address.

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker.