Everything you need to know about EvilProxy Attacks

An "Evil Proxy" is a malicious proxy server used by attackers to intercept and change the communication between a client and a legitimate server. It is also known as Phishing-as-a-Service (PhaaS), where the attackers attempt to deceive individuals into providing sensitive information such as usernames, passwords, and credit card numbers.

An Evil Proxy can be particularly dangerous as it uses Reverse Proxy and Cookie Injection methods to bypass two-factor from major vendors like GitHub, Apple, Okta, Microsoft and Google.

How it works

Evil Proxies operate on the Reverse Proxy principle, where the attacker leads the victim to click a malicious link that appears to look like a legitimate login page.

When the victim attempts to log in, the Evil Proxy forwards the authentication request to the actual service, simultaneously capturing the two-factor authentication (2FA) credentials through Cookie Injection.

To increase their chances of success, the attackers impersonate trusted services and apps, such as Concur Solutions, DocuSign, and Adobe.

Figure 1

The phishing URL including DocuSign is undetected by Virus Total

Here's another example of how the the Email Gateway security tool is bypassed using the "DocuSign" application as the email sender.

Figure 2

Email Security Gateway determined the phishing URL as clean

This allows attackers to utilize the captured cookie, granting them unauthorized access to the victim's account.

EvilProxy in Action

Follow the sequence below to see the code that can be used to launch an attack and how users are tricked into sharing their credentials:

1. Create a Fake Login Page: Set up a duplicate of the legitimate login page.
2. Configure Proxy Server: Use EvilProxy to set up a proxy to intercept traffic.
3. Send Phishing Link: Disguise a malicious link as a legitimate URL and send it to the victim.
4. Redirect to Fake Page: The victim clicks the link and is sent to the fake login page.
5. User Enters Credentials: Victim enters their login information, believing it's real.
6. Capture Credentials: EvilProxy logs the entered credentials.
7. Forward MFA Request: If MFA is enabled, EvilProxy forwards the MFA prompt to the attacker.
8. Attacker Retrieves MFA: The attacker can intercept or socially engineer the victim to share the MFA code.
9. Submit MFA Code: The attacker submits the MFA code to complete the login process.
10. Relay Login to Real Site: Forward the credentials and MFA code to the legitimate site to complete the login.
11. Exfiltrate Data: The attacker uses the credentials and MFA to access the victim's account and steal data.
12. Get Cookies from EvilProxy: Capture session cookies from the fake login process.
13. Insert Cookies into Real Site: The attacker inserts the captured cookies into their real session to maintain access without needing to log in again.

Figure 3

   import re

   # Example URLs to test
   urls = [
       "https://okta.loginmt.com/app/userhome?iss=https://okta.loginmt.com&session_hint=AUTHENTICATED",  # Legitimate
       "https://malicious-okta.com/app/userhome?iss=https://okta.com&session_hint=AUTHENTICATED",       # Potential Malicious
       "https://secure-okta.io/app/userhome?iss=https://secure-okta.io&session_hint=AUTHENTICATED",     # Legitimate
       "https://fake-okta.net/app/userhome?iss=https://okta.com&session_hint=AUTHENTICATED"             # Potential Malicious
   ]

   # Improved regex to extract host and iss domains
   pattern = r"^(?:https?:\/\/)?([a-zA-Z0-9.-]+)(?:\/|$).*?[&?]iss=https?:\/\/([a-zA-Z0-9.-]+)"

   print("Malicious URLs:")
   for url in urls:
       match = re.search(pattern, url)
       if match:
           host_domain = match.group(1)
           iss_domain = match.group(2)
           # Flag malicious if host and iss domains don't match
           if host_domain != iss_domain:
               print(f"- {url} (Host: {host_domain}, Iss: {iss_domain})")

Threat Intelligence and OSINT

Another method in mitigating potential threats is to utilize Threat Intelligence sources in identifying malicious actors and assess risks associated with suspicious domains. It also investigates known domains linked to harmful activities and searches for domains that are similar to your organization URL.

Integrating Indicators of Compromise (IOCs) into various systems, such as SIEM, SOAR, Email gateway, EDR, within an organization's security infrastructure is crucial for enhancing threat detection and enabling fast response capabilities.

• Indicators of Compromise (IoCs) - EvilProxy
  The Indicators of Compromise (IoCs) for EvilProxy are continually updated as new threats are detected, for the latest information, refer to this direct link to the IoCs.

Figure 5

Flow of how attacks that initially appear clean are later identified as malicious

The Email Gateway and Web Traffic monitoring systems initially flagged the attack domain as "clean," meaning they did not detect it as a threat. The Identity Management system, however, identified suspicious activity related to this domain and partially blocked it based on the detected anomaly.

Using this information, the SOAR system can dynamically classify the domain as "malicious" and take action to block it fully, enhancing the security response.

Microsoft 365

There are a number of steps that can be taken to protect against potential attacks through proper configuration of Microsoft Office:

• Organizations should implement conditional access through their Microsoft Office License, limiting access to specific devices, locations, or other resources.
• Deny access to suspicious devices by configuring Microsoft Intune to deny access to untrusted devices.

Enhance Employee Awareness

Educating employees about security risks, including phishing and smishing tactics can go a long way towards prevention of successful attacks.Regular training sessions, gamified events and simulated attacks can all significantly reduce the risk of compromising your organization..

Least Privilege Principle

The concept here is that users, processes, and systems should only be granted the minimum levels of access necessary to perform their tasks. Benefits of this approach include:

• Grants users access only to the resources necessary for their specific organizational roles.
• Minimizes potential damage if an account is compromised.
• Enhances overall security by reducing the risk of unauthorized access to sensitive information.
• Decreases the attack surface, making it more difficult for malicious actors to exploit vulnerabilities.
• Requires regular reviews and updating of access permissions as user roles and responsibilities evolve.

By limiting permissions, this principle helps minimize the potential damage that can occur if a system is compromised.

Conclusion

Threat actors are continually looking for new methods to steal legitimate user credentials and gain entry to user accounts, aiming to access sensitive information. New methods and techniques are constantly being adapted to counter the latest security techniques and methodologies, such as multi-factor authentication.

As we have seen, there is no protective scheme, not even MFA that acts as a silver bullet against all possible threats. That's why it's probably a good idea to take a tour or set up a demo to see how JFrog's Advanced Security solutions can protect your organizations from potential attacks today and in the future.

Public link

Please use the above public link if you want to share this noodl on another website.