What are reverse proxies?
Reverse proxies are servers that hide between the user and a legitimate authentication endpoint (for example, a company’s login form). Whenever a user gets attacked by such a phishing page, the reverse proxy displays the legitimate login form, forwards requests, and returns responses from the company’s website to make it look less suspicious to the users. Moreover, when the victim enters their credentials and MFA to the phishing page, they are even forwarded to the company’s actual server, so that the user can log in without any cause for concern and a session cookie is returned.
However, it is important to note that the hacker’s proxy is hiding between the user and the company’s server and it can also steal the session cookie that contains the authentication token. The hacker then uses this authentication cookie to log in to the site by impersonating the user and can even bypass the configured multi-factor authentication protections.
How EvilProxy is different from other phishing frameworks?
EvilProxy reportedly allows hackers to set up and manage phishing campaigns which are also much easier to deploy. Moreover, this platform even offers detailed tutorial videos, a user-friendly graphical interface and a list of cloned phishing pages for popular internet services.
Hackers can pay $400 for a month-long campaign on the platform that promises to steal usernames, passwords and session cookies. Moreover, the report has also shared videos demonstrating how EvilProxy steals data from Google and Microsoft’s 2FA accounts. Apart from this, EvilProxy is also rumoured to offer different tools to filter out unwanted visitors on the phishing sites hosted by the platform.
More hackers are now turning to reverse-proxy tools as MFA adoption continues to increase and the availability of these platforms that automates everything for the attackers is not good news for security professionals, network admins and most importantly, the end users.