Cybercriminals Using EvilProxy Phishing Kit to Target Senior Executives in U.S. Firms

A fresh phishing campaign is actively targeting senior executives within U.S.-based organizations. This campaign employs a well-known adversary-in-the-middle (AiTM) phishing tool called EvilProxy, designed for conducting credential harvesting and account takeover attacks. Menlo Security, the cybersecurity firm, has been monitoring this activity since its onset in July 2023. The targets are predominantly in industries related to banking, financial services, insurance, property management, real estate, and manufacturing sectors.

The threat actors orchestrating this campaign have exploited an open redirection vulnerability in the popular job search platform ‘indeed.com.’ This allows them to redirect unsuspecting victims to malicious phishing pages masquerading as Microsoft’s official login pages, as stated in a report by security researcher Ravisankar Ramprasad published last week.

EvilProxy, initially documented by Resecurity in September 2022, operates as a reverse proxy. It positions itself between the victim and a legitimate login page, facilitating the interception of credentials, two-factor authentication (2FA) codes, and session cookies. These ill-gotten assets are then employed to hijack targeted accounts.

The actors responsible for this AiTM phishing kit are identified by Microsoft as Storm-0835. They are believed to have numerous customers, with cybercriminals paying monthly licensing fees ranging from $200 to $1,000 USD to avail themselves of these services and conduct daily phishing campaigns. Due to the extensive use of such services, it’s challenging to attribute specific campaigns to individual actors.

In this recent wave of attacks, Menlo Security has documented how victims receive phishing emails containing deceptive links pointing to the job search platform Indeed. These links, however, redirect the unsuspecting individuals to an EvilProxy page designed for credential harvesting. This is facilitated by exploiting an open redirect flaw, which arises when a website fails to validate user input, thus enabling it to redirect users to arbitrary web pages without adhering to security protocols.

The subdomain ‘t.indeed.com’ is manipulated with parameters that redirect the client to a different target, such as ‘example.com,’ as explained by Ramprasad. These parameters in the URL, occurring after the ‘?,’ combine parameters specific to indeed.com with the target parameter. The target parameter includes the destination URL, causing users to get redirected to ‘example.com.’ In a real attack scenario, this redirection leads users to a phishing page.

This development coincides with threat actors employing Dropbox to generate counterfeit login pages featuring embedded URLs. When users click on these URLs, they are rerouted to fraudulent websites designed for the purpose of pilfering Microsoft account credentials. This tactic is often used in business email compromise (BEC) schemes. Such attacks are categorized as BEC 3.0 and are known for their complexity, making them challenging to detect and thwart, both for security services and end users.

Microsoft’s Digital Defense Report acknowledges the evolution of threat actors’ social engineering techniques, the utilization of technology, and cloud-based infrastructure to orchestrate more sophisticated and costly BEC attacks. This involves exploiting trusted business relationships.

In a related context, the Police Service of Northern Ireland has issued a warning regarding the surge in “qishing” emails. These emails involve sending a PDF document or a PNG image file containing a QR code to bypass detection and deceive victims into visiting malicious websites and credential harvesting pages.

Megafea Editors