A small (but important) public services announcement: a new phishing-as-a-service (PaaS) model is commoditizing complex phishing attacks.
I’ll touch on the details below, but here’s the most important thing to know: it’s now possible for anyone to perform a sophisticated phishing attack – which can bypass strong passwords and 2FA protection – with little cost and almost no experience necessary.
The protection from this attack is relatively simple, though:
Never click on links in emails or text messages.
How it Works
The attack works by an attacker sending the target a link to a phishing page via email or text. This page uses a reverse proxy to steal images and content from the legitimate page (creating an almost exact duplicate of a real login page) and to collect all the information sent from the user to the (authentic-looking) phishing page. The only real way to tell the phishing page from the real webpage is to carefully inspect the URL bar – something which most users are not in the habit of.
The collected information can include usernames, passwords, 2FA tokens, and even authentication cookies. While stealing login credentials is bad, collecting the actual authentication cookie allows an attacker to log in to a victim’s account without needing to provide any credentials or 2FA tokens. Completely bypassing the protections offered by 2FA after just a single mistake from a user.
This kind of attack is called a “man-in-the-middle” attack, and you can see the attack flow in this image from the Resecurity blog entry:
What it Means for You
This new “phishing-as-a-service” attack will certainly increase the number of successful cyberattacks against big and small businesses and individuals. If you’re not taking steps to secure your digital business and personal accounts, you should be.
But maybe the worst thing is that, at the moment, EvilProxy is just a single service. But its success will likely lead to copycat businesses that will try to compete with lower costs or great features. I imagine that within 3-6 months we’ll all be seeing a noticeable uptick in phishing email and text message attacks.
Remember that the only way to prevent this attack is by never clicking on the link in the first place. If you get an email about your account from Gmail, Microsoft, LinkedIn, your bank, etc. always navigate directly to that site in your web browser to investigate. Never click a link in an email or text message (even if it looks authentic).