"VoidProxy" PhishKit targets Google and Microsoft users

By

Can bypass common multi-factor authentication.

Okta's Threat Intelligence security researchers have discovered and analysed what they say is an advanced multi-factor authentication (MFA) bypassing phishing platform, and which lowers the technical barriers for entry.

"VoidProxy" PhishKit targets Google and Microsoft users
Admin login page for VoidProxy
VoidProxy

Targeting Microsoft and Google accounts, the phishing-as-a-service (PhaaS) platform, named VoidProxy, can circumvent MFA methods such as short messaging service (SMS) codes, and one-time passwords (OTPs), Okta said.

VoidProxy uses Adversary in the Middle (AitM) phishing with emails sent from legitimate providers, but from compromised accounts. 

The phishing sites are hosted on low-cost top level domains such as .icu, .sbs, .cfd, .xyz, .top, and .home, Okta researcher Houssem Eddine Bordjiba said, and serve content from behind the Cloudflare reverse proxy provider to hide their actual Internet Protocol addresses.

Evasion techniques such as multiple redirections before the targeted victim lands on the replica of the Microsoft and Google login portals are employed; VoidProxy uses CloudFlare CAPTCHA to ensure only human users click through the phishing attack flow, rather than automated scanners.

The PhaaS kit is also set up to use Cloudflare's lightweight programmable proxy endpoints, Workers, to further hide the VoidProxy infrastructure beneath another layer.

Using CloudFlare Workers to inspect incoming traffic also makes it harder for security analysts to get through to the real phishing site, and dynamically block them if the VoidProxy kit detects suspicious patterns.

Once a user has been tricked into supplying their credentials, users that have been federated and set up to use single sign-on (SSO) through are redirect to secod-stage landing pages, whereas VoidProxy sends non-federated directly to Microsoft and Google servers.

At the final stage of the attack, the PhaaS affiliate deploying the VoidProxy attack steals session cookies through an AitM reverse proxy running via ephemeral infrastructure with dynamic domain name services (DNS), after users have authenticated with legitimate services.

VoidProxy has an administrative panel for PhaaS users, providing them with detailed information about their phishing campaign efforts.

“This… phishing infrastructure is fairly advanced both in terms of MFA bypass capabilities and the way in which it was concealed from analysis until now,” Okta Threat Intelligence vice president Brett Winterford said.

Okta said phishing resistant authenticators such as passkeys and hardware security keys, as well as smart cards, stopped the credentials sharing by users, or signing in via the VoidProxy infrastructure.

The identity management vendor also suggested access restrictions, and training users to recognise suspicious emails, phishing sites and common social engineering tactics uses by attackers, and to make it easy to report these.

Multiple MFA bypassing phishing platforms have emerged over the past few years, such as the EvilProxy kit with a graphical user interface from 2022, and the newer Salty2FA PhaaS platform that was discovered this year.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
mfaoktaphishingsecurity

Sponsored Whitepapers

Optus Enterprise Mobility
Optus Enterprise Mobility
Life After VMware: Scale Securely with mCloud by Micron21
Life After VMware: Scale Securely with mCloud by Micron21
Cut Cloud Costs Without Compromise: Discover mCloud by Micron21
Cut Cloud Costs Without Compromise: Discover mCloud by Micron21
What 4 wholesale distribution challenges aren&#8217;t going away anytime soon?
What 4 wholesale distribution challenges aren’t going away anytime soon?
State of the SOC: Building Resilience in a Shifting Threat Landscape
State of the SOC: Building Resilience in a Shifting Threat Landscape

Events

Most Read Articles

Phishing attack nets enormous npm supply chain compromise

Phishing attack nets enormous npm supply chain compromise
Service NSW centralises security, networking in mammoth CloudOps overhaul

Service NSW centralises security, networking in mammoth CloudOps overhaul
VicRoads to phase out passwords in favour of passkeys

VicRoads to phase out passwords in favour of passkeys
Agentic cyber security AI abused for Citrix Netscaler attacks

Agentic cyber security AI abused for Citrix Netscaler attacks
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?