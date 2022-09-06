Slick new phishing-as-a-service kit emerges

Slick new phishing-as-a-service kit emerges
EvilProxy attack flow.
Resecurity

EvilProxy covers accounts with most major brands.

Security researchers at Resecurity have detailed a new phishing-as-a-service kit, EvilProxy, that provides an easy to use interface to attack users with accounts for major online brands, and the ability to bypass multifactor authentication (MFA).

Reverse proxies to attack multifactor authentication, such as Modlishka, have been available for several years, but EvilProxy makes it it possible to easily create and deliver advanced phishing links through a graphical user interface, Resecurity said.

EvilProxy sits between a victim and the real site the user is trying to connect to, capturing their valid session cookies, to bypass the need to authenticate with user names, passwords, and / or two-factor authentication tokens, the security vendor explained.

This includes accounts that have MFA enabled with short messaging text service, or application tokens.

Accounts with major brands such as Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo and Yandex can be attacked with EvilProxy.

Available since May this year, Resecurity said EvilProxy costs US$400 a month to rent.

CyberCX executive director of security testing and assurance Adam Boileau explained to iTnews that EvilProxy cannot bypass hardware key authentication.

"U2F, FIDO, and WebAuthn are cryptographically bound to the site they are authenticating to -  there is some public/private key stuff and basically the challenge that the hardware key answers is signed, such that only the real site can process the response," Boileau said.

"The responsibility of understanding who you're authenticating to is taken out of human hands," he added.

Boileau said every other MFA scheme such as one-time passwords and push notifications require humans to be involved in the above choice.

 

How to successfully plan, deploy & launch an intranet
Free eBook: Digital Transformation 101 – for banks
Why financial services need to tackle their Middle Office
Learn: The latest way to transfer files between customers
Extracting the value of data using Unified Observability
NAB targets 20 percent cut to cloud costs this year

NBN Co's Brad Whitcomb to head to Telstra

Kmart Australia changes store shelves for RFID rollout

Accenture changes its A/NZ technology leader

COVER STORY: How the technology sector is operationalising sustainability
Larry Ellison's words come back to haunt him in privacy lawsuit
'This time it will be different': VMware CEO on Broadcom's acquisition
No guarantee metaverses will be built on Web3: Mark van Rijmenam
Save the Date — Digital Nation Live launches on October 25
