EvilProxy Phishing Kit Targets Microsoft Users via Indeed.com Vulnerability

Threat actors are exploiting the open redirection vulnerability on Indeed.com to launch EvilProxy phishing attacks against high-ranking executives.

The cybersecurity researchers at Menlo Labs have uncovered a sophisticated phishing campaign in which cybercriminals are using the infamous EvilProxy phishing kit by exploiting an open redirection vulnerability in the job site Indeed.com.

The campaign specifically targets high-ranking executives across various industries, with a notable focus on Banking and Financial Services, Insurance providers, Property Management and Real Estate, and Manufacturing.

This disclosure comes after rigorous research by Menlo Labs, and the key findings from this investigation are both intriguing and concerning:

1. Campaign Timeline: The phishing campaign was initiated in July 2023, and has persisted into August, demonstrating a sustained effort by the threat actors.
2. EvilProxy Phishing Kit: The attackers harnessed a highly advanced phishing kit known as ‘EvilProxy.’ This kit operates as a reverse proxy, intercepting communication between the user and the genuine website. Notably, EvilProxy possesses the capability to harvest session cookies, effectively bypassing multi-factor authentication (MFA) defences.
3. Primarily US-based Targets: The campaign predominantly targeted organizations based in the United States, raising questions about its origin and motivation.
4. Open Redirection Vulnerability: To initiate their phishing scheme, threat actors exploited an open redirection vulnerability present on the popular job search platform “indeed.com.” Victims were redirected from this trusted platform to malicious phishing pages impersonating Microsoft.

This phishing campaign is emblematic of an “Adversary In The Middle” (AiTM) phishing attack, which hinges on stealing session cookies to circumvent MFA protections.

In July 2023, Menlo Security’s HEAT Shield detected and thwarted an innovative phishing attack. This attack employed an open redirection within the ‘indeed.com’ website, ultimately redirecting victims to a deceptive Microsoft login page. This redirection cleverly disguises the attack as originating from a reputable source, ‘indeed.com.’

The threat actors leveraged ‘EvilProxy,’ a phishing-as-a-service platform available on the dark web, offered as a subscription-based service with plan durations ranging from 10 to 31 days. ‘John_Malkovich,’ a threat actor within this scheme, served as an administrator and intermediary for customers who purchased this nefarious service.

The campaign honed in on C-suite employees and key executives across various sectors, as illustrated in the chart below. This data was collected from intelligence gathered through URLScan, Phishtank, and VirusTotal feeds.

The phishing emails delivered a deceptive link that appeared to originate from ‘indeed.com,’ fooling victims into clicking. Once clicked, the link led to a counterfeit Microsoft Online login page.

According to Menlo Labs report, here’s a step-by-step breakdown of the attack chain:

1. The victim receives a phishing email containing the seemingly legitimate Indeed link.
2. The unsuspecting victim clicks the Indeed link, which redirects them to the fake Microsoft login page.
3. The phishing page, deployed via the EvilProxy phishing framework, dynamically fetches content from the legitimate login site.
4. The phishing site acts as a reverse proxy, intercepting requests to the genuine website.
5. The attacker seizes the legitimate server’s requests and responses, thereby capturing session cookies.
6. The stolen cookies grant access to the legitimate Microsoft Online site, enabling attackers to impersonate victims and bypass non-phishing-resistant MFA.

This attack relied on an open redirection vulnerability, wherein an application unintentionally redirects users to an untrusted external domain. In this case, users believed they were redirected to ‘indeed.com’ or its subdomains, but the subdomain ‘t.indeed.com’ was furnished with parameters to redirect them elsewhere, ultimately leading to a phishing page.

The attackers effectively employed the EvilProxy phishing kit, executing an “Adversary In The Middle” attack by pilfering user session cookies to successfully evade MFA.

The phishing pages, identified by the subdomain ‘lmo.,’ impersonated the Microsoft Online login page. These pages were hosted on nginx servers, capable of acting as reverse proxies, dynamically fetching content and intercepting requests and responses between the victim and the genuine site. This method facilitated session cookie theft and is attributed to the usage of the EvilProxy Phishing kit.

Artefacts pointing to EvilProxy usage include domains hosted on Nginx servers, phishing pages containing common URI paths, and the use of Microsoft’s Ajax CDN for dynamic content rendering.

In response to the findings, Roger Grimes, data-driven defence evangelist at KnowBe4 advised users to use common sense as the first defence mechanism against such attacks. “Open redirects are among the most tricky tricks that social engineering hackers can deploy. We tell our end-users to always hover over a URL and to make sure it goes to a legitimate domain before clicking on it. But with these types of open-redirects, the originating URL DOES point to a legitimate URL,” Grimes said.

“Technically, the only defence is for every website and service to make sure they aren’t implementing a “feature” that allows malicious redirects. Education-wise, you must tell users that not only must they inspect URLs before they click them, but to re-examine the URL after they click them to see where they ended up. With a malicious open redirect, the final destination will not be a legitimate one. So, in short, all users must check all URLs before clicking on them AND AFTER clicking on them. It’s not enough just to examine before clicking,” Grimes emphasized.

Indeed.com Knows…

Indeed.com was informed about the vulnerability however it is unclear whether the company has it has been patched or not.

In light of the gathered intelligence and analysis, it’s evident that threat actors deployed the ‘EvilProxy’ phishing kit, exploiting an open redirection vulnerability in ‘indeed.com’ to impersonate the Microsoft Online page for credential phishing and account compromise.

This attack is just the initial phase of a broader attack chain that could lead to severe consequences, including identity theft, intellectual property theft, and substantial financial losses.

There is a looming possibility of increased ‘EvilProxy’ usage, given its user-friendly interface and the ability to bypass MFA, making it an attractive choice for cybercriminals.

RELATED ARTICLES

1. Warning as hackers breach MFA to target cloud services
2. Global CDN Service ‘jsdelivr’ Exposed Users to Phishing Attacks
3. FortiGuard Labs Discovers .ZIP Domains Fueling Phishing Attacks
4. New Phishing Attack Spoofs Microsoft 365 Authentication System
5. “Picture in Picture” Tactic Exploited in New Deceptive Phishing Attack