High-ranking corporate officials are now the prime targets for cybercriminals, as they intensify their use of the EvilProxy phishing kit in sophisticated account takeover attempts.
A recent survey from Proofpoint disclosed an escalating hybrid operation that employed the EvilProxy toolkit to focus on Microsoft 365 user accounts. Between March and June 2023, nearly 120,000 phishing emails were sent to a vast array of institutions across the globe.
Intriguingly, of those users whose accounts faced breaches, a significant 39% were found to be in executive roles, with 9% being CEOs and 17% CFOs. The campaign was also noticeably centered on individuals privy to critical fiscal data or confidential details. A substantial 35% of the affected users had even augmented their accounts with extra security measures.
With many companies now leaning heavily on multi-factor authentication (MFA), cybercriminals are adapting their strategies. These adjustments include integrating adversary-in-the-middle (AitM) phishing toolkits to clandestinely extract credentials, session tokens, and single-use passwords.
Proofpoint commented, “To instantly access high-profile accounts, cyberattackers now use sophisticated automation to immediately recognize when they’ve phished a key individual, while less valuable targets are often sidestepped.”
Initially spotlighted by Resecurity in September 2022, EvilProxy boasts of its capability to breach accounts linked to several mainstream platforms, from Apple iCloud to Facebook and Microsoft. The toolkit is available for a monthly subscription, ranging from $400 and scaling up to $600 specifically for Google accounts.
In the words of security aficionados Shachar Gritzman, Moshe Avraham, Tim Kromphardt, Jake Gionet, and Eilon Bendet, “This user-friendly, cost-efficient platform has spurred a surge in successful MFA phishing ventures. All that’s needed nowadays is a straightforward setup for a campaign, complete with an array of customizable choices.”
The latest attack iteration is initiated by deceiving emails, attempting to emulate dependable services like Adobe or DocuSign. These mails bait users into clicking on harmful URLs, which then engage a series of redirections, leading victims to a fake Microsoft 365 sign-in page, purpose-built to secretly harvest any entered data.
Interestingly, any traffic stemming from Turkish IP addresses is intentionally overlooked in these attacks, hinting at the possible Turkish origins of the campaign orchestrators.
On successfully breaching an account, attackers swiftly strategize to solidify their presence within the enterprise’s cloud framework. They establish their own MFA procedures, allowing them persistent, unmitigated access, facilitating further malicious activities like data theft and unauthorized sale of user details.
The researchers emphasized, “In our contemporary digital terrain, threats like EvilProxy are formidable and are rapidly overshadowing the outdated phishing tools of yesteryears. The stark reality is that even the trusted MFA isn’t impervious to these advanced cloud-centric threats.”
In parallel, Imperva recently disclosed details of an active phishing campaign of Russian descent, aiming to dupe unsuspecting individuals and pilfer their financial credentials. This operation, which has been active since May 2022, predominantly uses deceptive links in WhatsApp messages to target users.
Moreover, eSentire has identified another modus operandi where nefarious actors reach out to marketing experts on LinkedIn. Their objective? To disperse a specific .NET-based loader malware, dubbed HawkEyes. This malware then triggers Ducktail, a malware strain specialized in extracting information, primarily from Facebook Business accounts.