Threat actors used the EvilProxy phishing-as-a-service platform and a fake Indeed recruitment website links to steal credentials from senior U.S. executives employed across a range of industries.
Click for more special coverage
EvilProxy is a tool researchers expect will grow in popularity among hackers due of its easy-to-use features and ability to circumvent certain multi-factor authentication (MFA) security measures.
Menlo Labs identified the latest campaign, which was not attributed to a specific threat group but predominantly targeted executives working in senior roles in the banking and financial services, insurance, property management, real estate, and manufacturing sectors.
In an Oct. 3 blog post, Menlo Labs threat researcher Ravisankar Ramprasad described the campaign as a classic example of an adversary-in-the-middle (AiTM) phishing attack where session cookies were harvested, enabling threat actors to bypass MFA protections.
Targets were sent a phishing email containing an open redirect URL with an indeed.com domain which redirected to a phishing website, created using EvilProxy, that mimicked a Microsoft 365 login page.
Redirect URLs are used legitimately to send visitors from one website to another, and contain a data string used by the destination website to understand the visitor’s web journey.
The use of the Indeed domain redirect URL in the phishing email “makes an unsuspecting victim believe the redirection resulted from a trusted source,” Ramprasad said.
The phishing site acts as a reverse proxy, allowing the threat actor to intercept requests to and from the legitimate server, and to steal the session cookies. The cookies can then be used by the attacker to bypass non-phishing resistant MFA security when logging in using the victim’s credentials.
“The reverse proxy fetches all the content that can be dynamically generated like the login pages and then acts as the adversary in the middle by intercepting the requests and responses between the victim and the legitimate site,” Ramprasad said. “This helps in harvesting the session cookies.”
With account compromise typically being only the first stage in a threat group’s attack chain, this particular campaign could lead on to business email compromise attacks, in turn leading to identity theft, intellectual property theft or financial losses, Ramprasad said.
Menlo Labs had informed Indeed of the open redirect vulnerability, its active exploitation, and “the criticality and severity that this threat poses,” he said.
Campaign similar to scheme targeting Microsoft 365 accounts
A similar campaign using EvilProxy was revealed in August. It also targeted high-level executives, abusing trusted services including DocuSign and Adobe to target cloud-based Microsoft 365 accounts at more than 100 organizations collectively employing 1.5 million people.
EvilProxy’s platform is advertised and sold on the dark web with subscribers able to sign up to use in 10-, 20- and 31-day plans.
“One of the actors, known by the handle ‘John Malkovich,’ plays the role of an administrator and intermediary assisting customers who have purchased the service,” Ramprasad said.
He believed there was “a high probability” there would be a surge in usage of the service.
“It is easy to use with a simple interface with tutorials and documentation easily available on the dark web. The ability to circumvent MFA makes this a powerful tool in the arsenal for cybercriminals.”