A reverse-proxy style phishing-as-a-service platform entitled EvilProxy has recently emerged, pledging the capability to steal authentication tokens that can get past multi-factor authentication on Apple, Facebook, Google, Microsoft, GitHub, Twitter and GoDaddy. The new service empowers low-skill level threat actors who cannot create reverse proxies with the ability to take over online accounts with extended protection of MFA.

Understanding how reverse proxy’s work

Reverse proxies are types of servers positioned between a targeted victim and a certified authentication endpoint, such as a firm’s login form. After the user connects to the phishing page, the malicious server displays the authentic login for, forwards requests and provides responses from the firm’s website.

If the target enters their password, username and MFA into the bogus page, they are then forwarded to the legitimate platform’s server. The victim is then logged in and a dedicated session cookie gets returned.

Unfortunately, as the threat operator’s proxy is positioned in the middle, the server can steal the session cookie that contains the authentication token. The attackers can then use the MFA code to log in to an official site as the real user, penetrating past the multi-factor authentication protection measures.

Advanced Persistent Threat (APT) groups have a long history of using reverse proxies to bypass MFA measures on victim accounts, some employing their own bespoke tools while others utilise ready-to-deploy kits such as Necrobrowser, Modlishka and the infamous Evilginx2.

The main difference between these well-known phishing frameworks and the recent EvilProxy platform is that this latest threat is far easier to deploy, ships with detailed video tutorials and possesses a user-friendly interface. It also comes equipped with an extensive range of cloned phishing pages designed for commonly used internet services.

EvilProxy in focus

Cybersecurity experts at Resecurity report that EvilProxy provides an easy-to-use Graphic User Interface (GUI) that enables unskilled threat actors to establish and manage phishing campaigns, plus all the important details that underpin them.

The dedicated cybercriminal service promises to criminally collect passwords, usernames and session cookies for prices as low as $150 for 10 days, or $250 for a 20-day period, while a month-long campaign is charged at $400. Phishing attacks aimed at Google user accounts come at a higher premium, however.

Although the malicious service is now being promoted actively on various dark web and clearnet hacking forums, the threat operators behind EvilProxy vet their clients. As a result, it is likely that some prospective buyers are rejected.

Researchers at Resecurity have identified that payment for the cybercriminal service is arranged individually via Telegram. After a deposit has been made, the phishing actor is granted access to the portal that is hosted on the onion network.

While testing the platform, the team at Resecurity were able to confirm that EvilProxy is also offering VM, anti-bot and anti-analysis protection designed to filter out unwanted or invalid visitors on phishing sites that are being hosted by their platform. These measures are designed to avoid investigation and disruption from the authorities, but proved unsuccessful in stopping Resecurity.