New Phishing-as-a-Service (Phaas) identified by Resecurity
Resecurity has identified a new Phishing-as-a-Service (Phaas) called EvilProxy. Evidence shows that EvilProxy used Reverse Proxy that harvested valid session cookies to bypass 2FA authentication. So far, Resecurity has collected domain names and URLs related to the EvilProxy following the attacks against employees from Fortune 500 companies.
The new Phaas called EvilProxy is advertised in the dark web and uses Reverse Proxy to harvest valid session cookies and bypass 2FA authentication. According to Resecurity, this new method highlights the increase of attacks on online services and MFA authorisation mechanisms. Essentially, EvilProxy generates phishing links that compromise customer accounts belonging to Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, and Instagram, among others. It was initially detected in May 2022, were the group demonstrated how the Phaas can be used to access victims’ accounts. So far, Resecurity’s team has collected domain names and URLs related to the EvilProxy infrastructure and some of these hosts have been mapped following the attacks against employees from Fortune 500 companies.