EvilProxy, a new phishing tool that bypasses Multi-Factor Authentication (MFA), is causing a spike in Business Email Compromise (BEC) cases.
What is EvilProxy?
The Radius Incident Response team has recently observed a significant increase in the number of Business Email Compromise (‘BEC’) cases ending in attempted payment fraud.
Most of these cases appear to be linked to a global phishing campaign using a new tool – called EvilProxy – used to bypass most forms of multi-factor authentication (‘MFA’) and compromise user accounts.
Below is a real-world example of how an Irish firm was defrauded recently using the EvilProxy attack method.
How did it happen?
An email was sent to the business by the threat actors, purporting to be from another Irish business, but was blocked by the email Spam filtering system and went into quarantine.
As the end user thought he recognised the business name in the quarantined email, they then released the email from quarantine into their mailbox.
That email contained a link purporting to be a file containing supposed transaction details. The user clicked on the link and was brought to a web page that looked like the Microsoft O365 login page where he was asked to verify his username/password, the user entered the details assuming it was a legitimate Microsoft login page, while in the background the threat actor “EvilProxy” code was automatically installed on the end users PC.
The threat actor now had the details needed to get into the user’s mailbox and carry out the scam. Once the link was clicked and the credentials input, there was no requirement to input 2FA details, as the EvilProxy code bypasses it and any future 2FA / MFA requirements.
What happened next?
The threat actors now had unfettered access to the mailbox. They could monitor emails coming and going and gather information on pending sales, invoices, and bank transfers. They replicated company stationery, including email signatures, as well as editing and deleting incoming and outgoing emails.
The threat actor then registered a new domain that looked very similar to the original company’s domain, becoming “the man in the middle”.
Let’s say the company was called “Harry John Acme Ltd” (not a real firm) and their domain name was harryjohnacme.ie. The threat actors registered harryjohnacme.com and this was then used to communicate with the company’s clients and perpetuate the scam, which effectively removed the firm from any follow up conversations.
Nearing the payment date, the threat actors registered a Dublin phone number. They then informed the target, via email, of their bank account details and the enhanced security process, where they had redacted the last four digits of their bank account number. On this email the threat actors also provided a secure PIN code to be used by the client to validate a secure login. (Providing the impression, it was legitimate and very secure).
When the client called the phone number, they got an automated response, “welcome to Harry John Acme Ltd, please input your security PIN code”. When the end user input the PIN, they were then given an automated last four digits of the bank account, in order to complete the transfer.
The clients then transferred the funds to the bogus bank account, which was later closed once the funds were received.
Lessons Learned
- Emails go into quarantine for a reason (some benign, mostly not), be extra vigilant when releasing
- DO NOT click on links contained in emails
- DO NOT enter your credentials into websites if you have followed a link
- If a file is shared with you and is password protected it will NEVER be your Microsoft (or other provider) security credentials and MFA code
- Trust no one – implement a zero-trust policy – call the sender if unsure
- REMEMBER – the other party may have been hacked – call the sender and verify
- DO NOT use contact phone numbers in suspect emails – use a known number (e.g., mobile, a number already on file or in your CRM system or from their website)
- Threat actors are now using a combination of Voice and email in more complex targeted attacks, VoIP telephone numbers can be created and deleted in seconds and are untraceable
- If you have followed a (supposedly) legitimate link and it’s not what you expected – DO NOT ignore it. Call your IT support company immediately, you could have unknowingly opened access to your email system
- Make sure all your staff are kept informed and reminded of the need to be vigilant – implement policies to this effect
Threat actors are looking to access your information, for commercial gain, this is now a very profitable business model and will continue to grow and evolve on a daily and weekly basis.
EvilProxy is now available on the dark web as a service on a monthly subscription model, for any criminals to purchase. As new hacking tools get developed, they are increasingly being offered for sale on the dark web, making their route to market faster, less technically challenging, and more widely available.
For more information please see:
EvilProxy: What is and Why is it Dangerous?
At Radius, we have a vast knowledge of phishing and the threat it poses to businesses, and our team is monitoring this latest threat very closely.
If you think your organisation is at risk of falling foul to EvilProxy or would like to know more about it, contact our team today.
