To connect to services like Gmail, Facebook, Microsoft or Google Docs, it is more than strongly recommended to manually activate two-factor authentication – also called double authentication –, a real guarantee of security. The principle is simple: in addition to the usual username and password, the user must provide a second code to prove that it is indeed him. Generally, this involves entering a code sent by SMS to the mobile number, or using an application or an authentication service. Thus, if a malicious person attempts to access the account using the username and password, an additional step is required before delivering the data. In short, very practical in case of phishing!
The problem is that hackers constantly renew their techniques and develop new strategies. The latest: the EvilProxy service – also known as Moloch – which automates phishing attacks and bypasses accounts protected by two-factor authentication on the most popular sites and online services, such as Apple, Google , Microsoft, WordPress, LinkedIn or Twitter. EvilProxy is all the more worrying as advertisements for this service abound on major hacker forums and are aimed at neophyte hackers, who therefore do not have enough skills or knowledge to tackle such giant hackers. Internet. This discovery, made by security researchers at Resecurity, goes hand in hand with the increase in attacks against online services and double authentication mechanisms.
An all-in-one hacking platform
The first mention of EvilProxy was detected in May 2022, and its popularity has only grown since then. One of the reasons is that it is very easy to use, including for novice hackers. Just choose the type of account to attack – Google, Meta, Yahoo, Dropbox… – via a subscription: 150 dollars for 10 days, 250 dollars for 20 days and 400 dollars for 31 days, paid via Telegram. Note that attacks against Google are more expensive, going up to $600. The malicious client then configures and manages its phishing campaigns from the platform, while EvilProxy takes care of setting up all the attack infrastructure and creating very faithfully reproduced fake login pages.
They also play a central role in the operation. It all starts with a classic phishing campaign: the hacker pretends to be the targeted service – therefore Facebook, Google and company – and contacts his victim by email, SMS, instant messaging or social networks, with a message containing a fraudulent link. . The victim clicks on it and is sent to a fake login page which prompts them to enter their credentials. And that’s where EvilProxy gets smart! The fake page is a proxy server that will act as an intermediary between the victim and the targeted site… collecting all the identification information along the way. When the person enters their credentials, the proxy transmits the information to the legitimate website. This sends the double identification request back to the proxy… which is in turn transmitted to the victim. The latter sends the code for the double identification to the proxy, which then transmits it to the website, which returns the access to the account to the proxy. In short, EvilProxy plays the role of a hidden intermediary.
Within reach of all hackers
Unlike other such attacks – known as man-in-the-middle (MITM) attacks – EvilProxy offers an accessible and even user-friendly approach. Once subscribed to the service, hackers receive instructional videos and detailed tutorials on how to use the tool. The interface is clear and allows you to easily configure your campaigns. “Leasing EvilProxy is a quick learner, then cybercriminals have a cost-effective and scalable solution to perform advanced phishing campaigns, aimed at compromising consumers of popular online services that have multi-factor authentication enabled,” says Resecurity. This demonstrates the improvement of the arsenals available to hackers and the sophistication of their campaigns, to the chagrin of Internet users.
Sources: writing and web
To connect to services like Gmail, Facebook, Microsoft or Google Docs, it is more than strongly recommended to manually activate two-factor authentication – also called double authentication –, a real guarantee of security. The principle is simple: in addition to the usual username and password, the user must provide a second code…