Use of EvilProxy Phishing Kit to Attack Executives

Increasingly, cybercriminals are exploiting a phishing toolkit named EvilProxy for account takeover attacks, especially targeting high-level executives in large companies. Proofpoint reports that from March to June 2023, a campaign using EvilProxy targeted thousands of Microsoft 365 accounts, sending around 120,000 phishing emails to various organizations. Remarkably, 39% of compromised accounts belonged to C-level executives, with CEOs and CFOs being significant targets. These attacks often focus on individuals with access to financial or sensitive information.

EvilProxy, first identified by Resecurity in September 2022, is known for its capability to breach accounts across multiple platforms, including Apple iCloud, Google, Microsoft, and social media sites. Available on a subscription basis, it costs about $400 to $600 monthly, with higher prices for targeting specific platforms like Google.

These Phishing-as-a-Service (PhaaS) toolkits represent an evolution in cybercrime, enabling less technically skilled criminals to execute sophisticated phishing schemes easily. These kits offer features like bot and proxy detection, making them more effective and accessible.

The recent attack wave begins with phishing emails disguised as messages from trusted services, leading victims to fake login pages that capture their credentials. Interestingly, the campaign avoids targeting users from Turkish IP addresses, possibly indicating the attackers’ origin.

Successful account takeovers lead to further exploitation, like adding new MFA methods for sustained access, conducting financial fraud, stealing data, or selling the accounts. Even with MFA, these sophisticated attacks pose a significant threat.

Parallel to this, Imperva uncovered a Russian-based phishing campaign targeting credit card and bank information via WhatsApp since May 2022. This scam involves creating fake websites mimicking legitimate ones across various languages and industries.

Another tactic, as eSentire notes, involves targeting marketing professionals on LinkedIn to distribute HawkEyes, a .NET-based malware loader, which then deploys Ducktail, a malware focused on hijacking Facebook Business accounts. The attackers manipulate these accounts for unauthorized access and potential exploitation.

Scroll to Top