SECURITY
SECURITY
SECURITY
The rise of EvilProxy phishing malware
EvilProxy is once again on the rise.
The malware is one of the more popular phishing kits that is used to bypass multifactor authentication by stealing credentials. A new report by Proofpoint Inc. today illustrates its new rise in popularity and its focus on compromising Microsoft 365 accounts of C-level executives at major corporations. These kits are favored by criminals because they don’t require much in the way of skill or programming prowess, and because they get results.
From March through June, the researchers have seen a surge in EvilProxy-related phishing campaigns, with more than 120,000 infected emails sent, according to its own customer telemetry. These emails make use of brand impersonation, leveraging other third-party services such as DocuSign, Concur Solutions CRM and various Adobe Inc. products to trick users to click on the malware-laced links.
The campaigns incorporate a series of obfuscation techniques, such as encoding parts of the message and avoiding overt signs of VPN usage. They also used multiple steps to install the malware (below).
But the attackers made a significant typo in how they specified their complex redirection URLs, using “hhttps” instead of “https.” This made tracking their crafted phishing lures easier. Another tell is mentioned in the report that could indicate the attackers are based in Turkey or were intentionally avoiding targeting Turkish users.
“Even MFA is not a silver bullet against sophisticated threats and could be bypassed by various forms of combined email-to-cloud attacks,” the report said. “The attackers have been known to study their target organizations’ culture, hierarchy, and processes, to prepare their attacks and improve success rates.”
One solution is to adopt hardware-based security keys, such as from Yubico AB, to protect accounts, something that Discord has recently done for all of its employees. That link has lots of interesting details about how hard this was for Discord, why it chose this route after using less capable MFA methods previously, and how the deployment team won over various objections.
Images: Pixabay, Proofpoint
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
