Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,177
- Points
- 113
Step-by-step tutorials make complex attacks accessible to everyone.
The developers of the EvilProxy phishing kit have created and are actively distributing step-by-step instructions on how to use legitimate Cloudflare services to mask malicious traffic. Such malicious guides add new tools to the arsenal of cybercriminals who initially do not have advanced technical skills.
EvilProxy, a set of reverse proxy phishing tools, is being sold on black markets from mid-2022. According to Daniel Blackford, director of threat research at Proofpoint, about a million EvilProxy-related threats are registered every month. He notes that this hacker service makes it easier to set up phishing campaigns and provides support through the Telegram channel and training videos on YouTube.
In recent months, Proofpoint has seen a significant increase in the number of campaigns that use EvilProxy and Cloudflare services to mask traffic. Using the latter, criminals bypass automatic detection systems and direct phishing links only to targeted users, which makes attacks more effective.
Last summer, Proofpoint warned about an active campaign that used EvilProxy to send about 120,000 phishing emails to hundreds of organizations around the world. The main targets were senior managers, as their credentials provide access to the most valuable resources.
Attacks start with a phishing email sent on behalf of a trusted service such as Cloudflare, Adobe, or DocuSign. The email contains a link that redirects users through a legitimate site, such as YouTube or SlickDeals. This makes it harder to detect malicious activity.
After several redirects, the user ends up on a phishing site that mimics the Microsoft login page. EvilProxy acts as a reverse proxy, intercepting server requests and responses, which allows criminals to steal session cookies and multi-factor authentication tokens.
Although most EvilProxy campaigns are not associated with specific groups, Proofpoint noted the use of this tool by the TA4903 and TA577 groups. The latter was previously engaged in the distribution of QBot malware, and TA4903 is known for attacks on business correspondence. Both of these groups used EvilProxy to steal credentials.
Last October, Menlo Security also reported on a campaign using EvilProxy aimed at senior management of companies in the banking, insurance and real estate sectors. Since then, EvilProxy developers have improved the service, adding features for detecting bots and the ability to test messages.
Menlo Security researcher Ravisankar Ramprasad then noted that EvilProxy remains one of the most used phishing platforms along with NakedPages, Greatness and Tycoon 2FA. And recently, attackers have also used popular sites to redirect to phishing pages to make their attacks more stealthy.
To protect against such threats, experts recommend using physical FIDO security keys and cloud-based tools to detect compromised accounts. It is also important to raise user awareness and conduct regular employee training.
Source
The developers of the EvilProxy phishing kit have created and are actively distributing step-by-step instructions on how to use legitimate Cloudflare services to mask malicious traffic. Such malicious guides add new tools to the arsenal of cybercriminals who initially do not have advanced technical skills.
EvilProxy, a set of reverse proxy phishing tools, is being sold on black markets from mid-2022. According to Daniel Blackford, director of threat research at Proofpoint, about a million EvilProxy-related threats are registered every month. He notes that this hacker service makes it easier to set up phishing campaigns and provides support through the Telegram channel and training videos on YouTube.
In recent months, Proofpoint has seen a significant increase in the number of campaigns that use EvilProxy and Cloudflare services to mask traffic. Using the latter, criminals bypass automatic detection systems and direct phishing links only to targeted users, which makes attacks more effective.
Last summer, Proofpoint warned about an active campaign that used EvilProxy to send about 120,000 phishing emails to hundreds of organizations around the world. The main targets were senior managers, as their credentials provide access to the most valuable resources.
Attacks start with a phishing email sent on behalf of a trusted service such as Cloudflare, Adobe, or DocuSign. The email contains a link that redirects users through a legitimate site, such as YouTube or SlickDeals. This makes it harder to detect malicious activity.
After several redirects, the user ends up on a phishing site that mimics the Microsoft login page. EvilProxy acts as a reverse proxy, intercepting server requests and responses, which allows criminals to steal session cookies and multi-factor authentication tokens.
Although most EvilProxy campaigns are not associated with specific groups, Proofpoint noted the use of this tool by the TA4903 and TA577 groups. The latter was previously engaged in the distribution of QBot malware, and TA4903 is known for attacks on business correspondence. Both of these groups used EvilProxy to steal credentials.
Last October, Menlo Security also reported on a campaign using EvilProxy aimed at senior management of companies in the banking, insurance and real estate sectors. Since then, EvilProxy developers have improved the service, adding features for detecting bots and the ability to test messages.
Menlo Security researcher Ravisankar Ramprasad then noted that EvilProxy remains one of the most used phishing platforms along with NakedPages, Greatness and Tycoon 2FA. And recently, attackers have also used popular sites to redirect to phishing pages to make their attacks more stealthy.
To protect against such threats, experts recommend using physical FIDO security keys and cloud-based tools to detect compromised accounts. It is also important to raise user awareness and conduct regular employee training.
Source
