New Phishing Service Able to Bypass Two-Factor Authentication

We reported a couple weeks ago that scammers were now able to circumvent 2-factor authentication (2FA). There is now a SaaS service that makes it even easier. The so-called EvilProxy phishing service is being offered on scammer boards, and claims to defeat 2FA for some leading services.

Those services include Apple iCloud, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, NPM, PyPI, RubyGems, Twitter, Yahoo, and Yandex.

The system works by generating cloned pages for the above services to collect logins and registrations from users.

"EvilProxy actors are using reverse proxy and cookie injection methods to bypass 2FA authentication – proxifying victim's session," Resecurity researchers said.

This is another AiTM (adversary-in-the-middle) attack we are beginning to see so much of.

EvilProxy Phishing Service

Evilproxy is being made available as a SaaS, with a subscription of around $400 per month. Prices apparently increase depending on the platform being targeted, with Apple and Google attacks costing around $600 per month.

There is apparently some vetting that goes on to check people wanting to use the service, but it is otherwise open to anyone who can pay.

This isn’t great news for any of us as these services make it about as easy as it could possibly be to make life difficult for everyday users.

How Can You Stay Safe?

There is unfortunately not a lot you can do to avoid AiTM campaigns. As many platforms use obfuscated URLs, it’s sometimes impossible to check you’re on a legitimate site.

If platforms went back to using ‘www.facebook.com/cleartextaddresshere’ it would be a little easier. But often they don’t.

Otherwise, keeping every login unique, with a unique password can go a little way to protecting you.

If your account is compromised, at least it’s only one. If you use the same password across accounts, that could get real bad, real quick.