EvilProxy Phishing Attack Strikes Indeed

Executive Summary

Menlo Labs recently identified a phishing campaign targeting executives in senior level roles across various industries, but primarily Banking and Financial services, Insurance providers, Property Management and Real Estate, and Manufacturing.

The key findings based on our research of the phishing campaign are as follows:

• The campaign started in July and has continued into the month of August.
• The campaign used a sophisticated phishing kit called ‘EvilProxy’ which acts as a reverse proxy intercepting the requests between the client and the legitimate site.
• ‘EvilProxy’ possesses the ability to harvest session cookies thereby bypassing non-phishing resistant MFA.
• The campaign was seen primarily targeting US based organizations.
• The threat actors leveraged an open redirection vulnerability on the job search platform “indeed.com”, redirecting victims to malicious phishing pages impersonating Microsoft.

This is a classic example of AiTM (Adversary In The Middle) phishing attack by harvesting session cookies enabling threat actors to bypass MFA protections.

Threat Intelligence

In July 2023, Menlo Security HEAT Shield detected and blocked a novel phishing attack that involved an open redirection in the ‘indeed.com’ website redirecting victims to a phishing page impersonating Microsoft. Consequently, this makes an unsuspecting victim believe the redirection resulted from a trusted source such as ‘indeed.com’.

The threat actors were found to deploy the phishing pages using the phishing-as-a-service platform named ‘EvilProxy’. The service is advertised and sold on the dark web as a subscription-based offering with the plan validity ranging between 10 days, 20 days, and 31 days. One of the actors, known by the handle ‘John_Malkovich’, plays the role of an administrator and intermediary assisting customers who have purchased the service.

The campaign targeted C-suite employees and other key executives across organizations based in the United States across various sectors.

The chart below depicts the various sectors targeted by the campaign.

This data was collated with the help of intelligence gathered through URLScan, Phishtank, and VirusTotal feeds.

Infection Vector

The infection vector was a phishing email delivered with a link that is deceptively crafted in such a way that it comes from a trusted source, in this case ‘indeed.com’. Upon clicking the link the victim is redirected to a fake Microsoft Online login page.

Attack Kill Chain

The depiction of the attack kill chain with the step-by-step breakdown is shown below.

• Victim receives the phishing mail containing the Indeed link.
• The unsuspecting victim clicks on the indeed link inside the mail which redirects the victim to the fake Microsoft login page.
• This phishing page is deployed with the help of the EvilProxy phishing framework fetching all the content dynamically from the legitimate login site.
• The phishing site acts as a reverse proxy, proxying the request to the actual website.
• The attacker intercepts the legitimate server’s requests & responses
• The attacker is able to steal the session cookies.
• The stolen cookies can then be used to login to the legitimate Microsoft Online site, impersonating the victims & bypassing non-phishing resistant MFA

Technical Details

What is Open redirection vulnerability?

Open redirection happens when an application (by design or unintentionally) causes redirection to an untrusted external domain. This flaw can be utilized to exploit the trustability of the redirecting source to ultimately redirect the victim to a phishing site or a compromised site serving malware.

In this specific attack, the user clicks on a URL believing that they are being directed to indeed.com or another of its subdomains. The subdomain ‘t.indeed.com’ is supplied with parameters to redirect the client to another target (example.com) as shown in the example below. The parameters in the URL that follow the “?” are a combination of parameters unique to indeed.com and the target parameter whose argument consists of the destination URL. Hence the user upon clicking the URL ends up getting redirected to example.com. In an actual attack, the user would be redirected to a phishing page.

The HTTP header request and responses show the redirection chain caused by the vulnerability.

The threat actors employed the EvilProxy phishing kit which acts as a reverse proxy, performing an adversary in the middle attack by stealing user session cookies thereby helping to circumvent 2 factor authentication successfully bypassing MFA.

Attacker Infrastructure

The phishing redirection chain consists of 3 parts:

• The Phishing Link received by victim
• The Redirector URL
• The Phishing Page

The diagram below shows the redirection chain in this specific attack.

Phishing Page Technical Description

The phishing pages have been noticed to have the subdomain ‘lmo.’ and have specifically impersonated the Microsoft Online login page. The phishing pages were found to be hosted on nginx servers capable of acting as a reverse proxy. The reverse proxy fetches all the content that can be dynamically generated like the login pages and then acts as the adversary in the middle by intercepting the requests and responses between the victim and the legitimate site. This helps in harvesting the session cookies and this tactic can be attributed to the usage of EvilProxy Phishing kit.

EvilProxy Attribution

Artifacts observed which can be attributed to EvilProxy usage:

• From Shodan, URLScan these domains can be found to be hosted on Nginx servers.
• The phishing pages hosted resources containing common uri paths, listed below, which can be used to identify them.
• 1) /ests/2.1/content/
• 2) /shared/1.0/content/
• 3) /officehub/bundles/
• The phishing kit makes use of Microsoft’s Ajax CDN to help with dynamic fetching and rendering of javascript content. On hunting for these specific strings in the uri paths, we can observe them in IDS signatures built to detect EvilProxy uri content.

• One of the POST requests observed contains the victims’ email address (Base64 encoded in some cases) and Session identifier. This is also a unique piece of artifact that is seen with the EvilProxy phishing kit usage. IDS rule match for the same shown below.

• Example of POST request: https://lmo[.]bartmfil[.]com/?c29tZW9uZUBzb21lb25lLm9yZw==&session=e6ec0fe49fbfb31608198b22eaa2d00fe6ec0fe49fbfb31608198b22eaa2d00f&sso_reload=true

• Another piece of code observed was the usage of the open source FingerprintJS library for browser fingerprinting. Domblockers module has been extensively used to identify particular elements that are being blocked by the browser. https://github.com/fingerprintjs/fingerprintjs/blob/master/src/sources/dom_blockers.ts
• Look for IP addresses with a 407 Proxy Authentication Required client error status code.

• Another way is to look for sites with 444 status code which is a standard Nginx server response.Sites having nginx server running in the backend with subdomains like (lmo., auth., live.,login-live.,mso.*)

Menlo Protection

Menlo observed this campaign across one of our customers and we were able to successfully eliminate this threat by virtue of our HEAT Shield. HEAT Shield was able to detect and prevent this phishing attempt on the fly by virtue of its real time analysis feature. HEAT Shield was able to successfully detect the phishing site by leveraging AI-based detection models to analyze the rendered web page way before the URL reputation services and other security vendors flagged this page for malicious behavior. HEAT Shield also generates the Zero Hour Phishing Detection alerts in the process which help provide greater visibility to the SOC analysts by providing them with context of the threat and enriched data that will adequately support their research.

HEAT Shield protects users from credential harvesting and account compromise by cutting off the attack vector from the initial access stage (MITRE ATT&CK framework) and redefines the way security is implemented by enforcing a proactive approach to deal with such highly evasive threats. This rapidly evolving threat landscape makes it imperative for us to stay one step ahead and invest in Zero trust by design.

Conclusion

In light of the intelligence gathered and analysis performed from various sources, we can state with confidence that the threat actors have been using the ‘EvilProxy’ phishing kit and specifically exploiting the open redirection vulnerability in the ‘indeed.com’ application to impersonate the Microsoft Online page for credential phishing and account compromise.

Account compromise only forms the preliminary stages of an attack chain that could possibly end up in a Business Email Compromise where the potential impact could range from identity theft, intellectual property theft and massive financial losses.

There is a high probability that we can see a surge in the usage of ‘EvilProxy’. Firstly, it is easy to use with a simple interface with tutorials and documentation easily available on the dark web. The ability to circumvent MFA makes this a powerful tool in the arsenal for cybercriminals.

Recommendations

1. Educate users through awareness sessions and training.
2. Usage of phishing resistant MFA like FIDO based authentication like Yubikeys.
3. Ensure to verify whether the target URLs are also as legitimate as the source instead of assuming them to be safe.
4. Use session isolation solutions like HEAT Shield that will protect the users from zero hour phishing attacks in real time.

Responsible Disclosure

Menlo Labs have reached out to Indeed.com informing them of the existence of the open redirect vulnerability and its active exploitation out in the wild. They have been informed about the criticality and severity that this threat poses.

IOCS

Domains

lmo[.]roxylvfuco[.]com[.]au
lmo[.]bartmfil[.]com
lmo[.]triperlid[.]com
roxylvfuco[.]com[.]au
earthscigrovp[.]com[.]au
mscr.earthscigrovp[.]com[.]au
vfuco.com[.]au
catalogsumut[.]com
ivonnesart[.]com
sheridanwyolibrary[.]org

IPs

199.204.248.121
193.239.85.29
212.224.107.74
206.189.190.128
116.90.49.27
85.187.128.19
202.139.238.230

References

https://www.resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web
https://www.proofpoint.com/us/blog/email-and-cloud-threats/cloud-account-takeover-campaign-leveraging-evilproxy-targets-top-level
https://learn.microsoft.com/en-us/aspnet/ajax/cdn/overview
http://www.boredhackerblog.info/2022/11/looking-for-evilproxy-notes.html
https://www.darkreading.com/vulnerabilities-threats/evilproxy-commodifies-reverse-proxy-tactic-phishing-bypassing-2fa
https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/