Despite the pandemic coming to an end, the wave of cyber-attacks that reared up during the lockdown is a continuous surge. In 2024, cyberattacks grew by 50% over the course of the year.
According to Threat Post, cybersecurity firms are seeing cyberattacks hit record highs. One firm reported some organizations to face 925 attacks a week.
Beta News has also reported that cybercriminals are capable of breaching 93% of business networks. Despite the sophisticated tools that cybersecurity tools make available it seems as though cybercriminals are always one step ahead.
This was shown again recently by the development of EvilProxy, a phishing service designed to help cybercriminals bypass Multi-Factor Authentication (MFA). Not only that, but EvilProxy is a phishing-as-a-service (PhaaS) toolkit that anybody can purchase on the dark web.
What is EvilProxy, and How Does it Work?
EvilProxy emerged through the dark web to provide cybercriminals with lethal tools for a monthly subscription of $400. The toolkit they offer enables hackers to execute “general attacks”.
Hackers that want to ramp up their game and pit themselves against the likes of Google and Microsoft, can purchase the tools to help for a mere $600. These sophisticated tools allow cyber criminals to access new networks and wreak damage.
This is bad news for SMEs that may not recover from a cybersecurity attack. They may be navigating the cost of fixing the problem and even paying off hackers if they are snagged by ransomware.
However, most businesses fail after a cybersecurity attack because of the legal obligation to report the data breach to the affected parties. Losing the trust of customers is more damaging than a cybercriminal. It is the regulation that kills you.
How to Identify EvilProxy
Fortunately, cybercrime can mostly be evaded if you know how to spot attacks. As this article shows, cybersecurity doesn’t have to be overly expensive if you train your staff on how to recognise threats.
EvilProxy is an extension of adversary-in-the-middle (ASTM) attacks. Users are tricked into accessing a malicious proxy server. The cybercriminals carry out the deception by cloning pages such as Facebook or Google with a very similar URL.
This means that the only way to adequately protect yourself against EvilProxy is by checking very carefully that any page you enter your login credentials into has a URL that is identical to the service you are accessing.
Hackers can not accurately fabricate URLs. It is the same story with emails. There is always a slight difference. But the difference is noticeable when you are looking for it.
The malicious proxy server set up by hackers gathers login credentials and authentication information of the user in real-time. Then when the user carries out the authentication, the proxy server effectively piggybacks on the user, allowing the cybercriminal to access the network without having to go through MFA.
This is concerning because MFA is the go-to mechanism to confirm the person logging on to a server has permission. Having said that, MFA has never been 99% secure, but the latest development means it’s even less secure.
The point of MFA was to confirm authentication via a specific device. It was the case that unless a device fell into the hands of a cybercriminal they would not be able to access the network unless they have the user’s second device – together with biometric data, or a secret answer.
Cybercriminals have only been able to bypass MFA if they can break into the software provider’s network and disable MFA for all users of the software. With EvilProxy, cybercriminals are now able to bypass MFA far more easily.
Who Can Access EvilProxy?
Currently, EvilProxy is only available to vetted cybercriminals. This means that it will not cause total chaos as only certain cybercriminals will have access to this sophisticated attack potential. And experienced cybercriminals will target large companies for big paydays.
However, this does not mean that facing a cybercriminal involved with EvilProxy is in any way unlikely. These tools always trickle down into the hands of regular cybercriminals that target small businesses on the basis that SMEs are easier targets.
The only reason why the EvilProxy tools are not available to the broader cohort of hackers at the moment is that the providers are still working to expand the capacities of their platforms. Most worryingly, they are attempting to use their platform to facilitate supply chain attacks.
In a supply chain attack, a cybercriminal infiltrates a trusted software developer’s network. They then secretly implant malicious code into the application that is being developed. When the application is released to the public, users install the malicious code.
This means there is a potential for the perpetrators to lay a malicious trap whilst software is still in production or receiving an upgrade. Will any software be safe?
Could EvilProxy Redefine Cybercrime?
EvilProxy is already making waves in the cybersecurity press – even though there are no known attacks carried out using EvilProxy. Which begs the question, how do cybersecurity firms know about it?
So what should we expect? What you can guarantee is that EvilProxy will be reported hitting a major company first to strike the fear of god into every other business. Cybercrime does exist, but who are the cyber criminals that are making these tools?
Whenever you read a report of a major firm being it, you discover the attack came from a group that has connections to a government; China, Russia, the USA, and Israel usually get the blame.
It’s vitally important for every business to keep an eye on developments in the cybersecurity space. For the most part, the only way of knowing how to defend yourself against cybercrime is to know the latest technique. Anti-virus software won’t help you against new attacks because they only capture known codes that are malicious.
Another week, another cybersecurity attack. This is just the fear-mongering world we live in – and it appears the bad actors are people that pretend to protect you.